How To
Summary
System Admins might have a requirement to use vio secure firewall to deny access for a service except for a specific IP.
Objective
On this technote, an example is provided on how to deny access to all IP except for IP specified by the System Admin.
Environment
Virtual I/O Server
Steps
/etc/services List the services that can be denied or allowed, users can check this file for the wanted service to deny or allow.The
/home/ios/security/viosecure.ctl file includes all of the ports that is allowed access by default when one activates the firewall on the VIOS (this is the default behavior).An example of one of the services is ssh, as it is going to be allowed for all
IPs because it exists in /home/ios/security/viosecure.ctl.In case it is required to deny all IPs to ssh to the VIOS except for specific IP, the following steps can be used:$ viosecure -firewall on -reload —> reload and allow all the services in /home/ios/security/viosecure.ctl$ viosecure -firewall deny -port ssh —> this removes entirely the ssh service from the firewall for all the IPs (it is not going be listed in the $viosecure -firewall view)$ viosecure -firewall allow -port ssh -address 10.0.0.131 —> allows only the IP 10.0.0.131 to ssh to the VIOS on port 22 (repeat for all the IP that is required to be allowed to ssh to this VIOS)Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\/O Server"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
12 July 2022
UID
ibm16603069