ipfl - IPFilter on AIX
Warnings
UPDATE: Turns ot there are fixes to the version shipped in the 7.1 Expansion pack. Latest fix is installed and ipf/ipnat is running again, waiting for the errors to come up again... No errors after 3 hours.
The following problems apply only for the base level version, 5.3.0.0. Make sure you update the fileset!
The IBM supplied fileset has not been maintained and it seems to induce several errors. I do not recommend the use of ipfl.rte, based on the problems I found:
- the use of ipnat for port redirection generates transmit errors, resulting in a terrible lag in most network programs
- the use of (certain?) filters may lead to unexpected behaviour, namely problems with name resolution and outgoing ping
- see also below at 'Error messages'
Fileset history
IBM Fileset information for: ipfl.rte
To date: ipfl.rte.5.3.0.3 -> U808732.bff
It fixed the following APARs:
IZ63401: IP FILTER PANICS ON 6.1 - United States
IZ43944: IPMON DISPLAYS INCORRECT DATE IN ITS OUTPUT
Download latest fileset version via fixget
Documentation, references
IP Filter - TCP/IP Firewall/NAT Software
Hardening AIX - tűzfal in Hungarian by Huncraft
Version
In ipfl.rte 5.3.0.0 from the AIX 7.1 Expansion Pack, May 2012:
# /usr/sbin/ipf -V
ipf: IP Filter: v4.1.13 (480)
while on the IPFilter home page (Oct 2012): "Last 4.1 Release: 4.1.35"
Filesets
Runtime: ipfl.rte
Binaries
/usr/sbin/ipf /usr/sbin/ipf64
/usr/sbin/ipfs /usr/sbin/ipfs64
/usr/sbin/ipmon /usr/sbin/ipmon64
/usr/sbin/ipnat /usr/sbin/ipnat64
/usr/sbin/ippool /usr/sbin/ippool64
/usr/sbin/ipscan /usr/sbin/ipscan64
/usr/sbin/ipfstat /usr/sbin/ipfstat64
/usr/sbin/ipsyncm /usr/sbin/ipsyncm64
/usr/sbin/ipsyncs /usr/sbin/ipsyncs64
Manuals: ipfl.man.en_US
ipf ipfilter ipfs ipfstat ipl ipmon ipnat ippool ipscan
No manual for: ipftest(1), mkfilters(1),
Commands - ipf
Synopsis
ipf [ -6AcdDEInoPrsvVyzZ ] [ -l <block|pass|nomatch> ] [ -T
<optionlist> ] [ -F <i|o|a|s|S> ] -f <filename> [ -f
<filename> [...]]
enable
# ipf -E
disable
# ipf -D
flush filter list
# ipf -Fa
dry-run, "nochange" operation
# ipf -n ...
display filter related kernel tunables list
# ipf -T list
reset stats
# ipf -z
IBM instructions
Documentation: /usr/lpp/ipfl/IPFL.README
"These are AIX specific instructions, for ipfilters kernel extension.
1. To load the ipfilters kernel extension,
# /usr/lib/methods/cfg_ipf -l
2. To unload the ipfilters kernel extension,
# /usr/lib/methods/cfg_ipf -u
3. When NAT is enabled (or when packet forwarding is expected), ipforwarding
needs to be enabled on the system.
# no -o ipforwarding=1
All the commands like ipfstat, ipnat, etc. reside in /usr/sbin directory.
Kernel extension itself resides in /usr/lib/drivers (as 'ipf')."
Error messages
When the kernext is not loaded:
# ipfstat -in
open(IPSTATE_NAME): No such file or directory
# ipf -V
ipf: IP Filter: v4.1.13 (480)
open device: No such file or directory
Version 5.3.0.0 on 7.1: I'm getting these errors on my Gigabit interface running in auto-negotiation since the kernel module has been loaded (no filters in effect):
LABEL: GOENT_TX_ERR
IDENTIFIER: 4FC185D1
...
VPD:
2-Port 10/100/1000 Base-TX PCI-X Adapter:
Network Address.............0011112233445566
ROM Level.(alterable).......DV0210
Description
TRANSMIT FAILURE
Recommended Actions
PERFORM PROBLEM DETERMINATION PROCEDURES
Detail Data
FILE NAME
line: 1985 file: goent_tx.c
...
On another system, I found the following problems while packet filtering was in effect:
- 'flapping' name resolution: remote hosts are sometimes OK, sometimes unresolvable from external (ISP) nameservers
- every second outgoing ping fails with 'sendto: The file access permissions do not allow the specified action'
- eventually the traffic got blocked even on the allowed ports
- all the above on ipfl.rte version 5.3.0.0 AIX 5.3 TL10 (up to date at the time of occurrence)
- none of the mentioned problems occurred without ipf neither before nor afterwards
Configuration
Kernel extension and special devices
Load
# /usr/lib/methods/cfg_ipf -l
Major 24
devno 0
Query
# /usr/lib/methods/cfg_ipf -q
Major 24
devno 0
Kernel module ID: 1353592832
# genkex | grep ipf
6790000 40000 /usr/lib/drivers/ipf
# ls -ltr /dev/ip*
crw------- 2 root system 23, 0 Aug 30 16:46 /dev/ipldevice
crw-rw---- 2 root system 10, 1 Aug 30 16:46 /dev/ipl_blv
crw------- 1 root system 24, 2 Oct 09 15:41 /dev/ipstate
crw------- 1 root system 24, 1 Oct 09 15:41 /dev/ipnat
crw------- 1 root system 24, 0 Oct 09 15:41 /dev/ipl
crw------- 1 root system 24, 3 Oct 09 15:41 /dev/ipauth
crw------- 1 root system 24, 4 Oct 09 15:41 /dev/ipsync
crw------- 1 root system 24, 5 Oct 09 15:41 /dev/ipscan
crw------- 1 root system 24, 6 Oct 09 15:41 /dev/iplookup
IP Filter
List filters in effect for input
# ipfstat -i
empty list for ipfilter(in)
List general statistics
# ipfstat
bad packets: in 0 out 0
input packets: blocked 0 passed 262 nomatch 201 counted 0 short 0
output packets: blocked 0 passed 169 nomatch 16 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 61 (out): 153
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 0
Packet log flags set: (0)
none
Example: Port redirection with ipnat
Load the kernel extension first.
Edit the config file (filename is optional, I use /etc/ipnat.conf)
I wanted to redirect port 443 on interface en1 to port 22:
rdr en1 0/0 port 443 -> 127.0.0.1 port 22 tcp/udp
Flush previous filters as necessary
# ipnat -FC
0 entries flushed from NAT table
0 entries flushed from NAT list
Test and load configuration
# ipnat -nf /etc/ipnat.conf
# ipnat -f /etc/ipnat.conf
List active filters
# ipnat -l
List of active MAP/Redirect filters:
rdr en1 0.0.0.0/0 port 443 -> 127.0.0.1 port 22 tcp/udp
List of active sessions:
RDR 127.0.0.1 22 <- -> 10.6.101.171 443 [94.228.106.9 36832]
Make sure the setting is permanent by following the IBM document (inittab entry) or creating a script for sysvinit (rc2.d)
Note that you do NOT need to set 'no -p -o ipforwarding=1' for the redirection to work.
Example: Packet filtering with ipf
The syntax is the same as with the stock ipfilter. The rules can be tested with 'ipf -nf /your/conffile' and loaded with 'ipf -f /your/conffile'.
block in all
block in quick all with ipopts
pass out on en0 from any to any keep state
pass in on en0 proto tcp from any to any port = 22 flags S/SA keep state
pass in on en0 proto icmp from any to any icmp-type echo
pass in on en0 proto icmp from any to any icmp-type echorep