ipfl - IPFilter on AIX

Warnings

UPDATE: Turns ot there are fixes to the version shipped in the 7.1 Expansion pack. Latest fix is installed and ipf/ipnat is running again, waiting for the errors to come up again... No errors after 3 hours.

The following problems apply only for the base level version, 5.3.0.0. Make sure you update the fileset!

The IBM supplied fileset has not been maintained and it seems to induce several errors. I do not recommend the use of ipfl.rte, based on the problems I found:

- the use of ipnat for port redirection generates transmit errors, resulting in a terrible lag in most network programs

- the use of (certain?) filters may lead to unexpected behaviour, namely problems with name resolution and outgoing ping

- see also below at 'Error messages'

Fileset history

IBM Fileset information for: ipfl.rte

To date: ipfl.rte.5.3.0.3 -> U808732.bff

It fixed the following APARs:

IZ63401: IP FILTER PANICS ON 6.1 - United States

IZ43944: IPMON DISPLAYS INCORRECT DATE IN ITS OUTPUT

Download latest fileset version via fixget

Documentation, references

An IPFilter for AIX FAQ

IP Filter - TCP/IP Firewall/NAT Software

Hardening AIX - tűzfal in Hungarian by Huncraft

Version

In ipfl.rte 5.3.0.0 from the AIX 7.1 Expansion Pack, May 2012:

# /usr/sbin/ipf -V

ipf: IP Filter: v4.1.13 (480)

while on the IPFilter home page (Oct 2012): "Last 4.1 Release: 4.1.35"

Filesets

Runtime: ipfl.rte

Binaries

/usr/sbin/ipf /usr/sbin/ipf64

/usr/sbin/ipfs /usr/sbin/ipfs64

/usr/sbin/ipmon /usr/sbin/ipmon64

/usr/sbin/ipnat /usr/sbin/ipnat64

/usr/sbin/ippool /usr/sbin/ippool64

/usr/sbin/ipscan /usr/sbin/ipscan64

/usr/sbin/ipfstat /usr/sbin/ipfstat64

/usr/sbin/ipsyncm /usr/sbin/ipsyncm64

/usr/sbin/ipsyncs /usr/sbin/ipsyncs64

Manuals: ipfl.man.en_US

ipf ipfilter ipfs ipfstat ipl ipmon ipnat ippool ipscan

No manual for: ipftest(1), mkfilters(1),

Commands - ipf

Synopsis

          ipf [ -6AcdDEInoPrsvVyzZ ] [ -l <block|pass|nomatch> ] [ -T

          <optionlist> ] [ -F <i|o|a|s|S> ] -f <filename> [ -f

          <filename> [...]]

enable

# ipf -E

disable

# ipf -D

flush filter list

# ipf -Fa

dry-run, "nochange" operation

# ipf -n ... 

display filter related kernel tunables list

# ipf -T list

reset stats

# ipf -z

IBM instructions

Documentation: /usr/lpp/ipfl/IPFL.README

"These are AIX specific instructions, for ipfilters kernel extension.

1. To load the ipfilters kernel extension,

# /usr/lib/methods/cfg_ipf -l

2. To unload the ipfilters kernel extension,

# /usr/lib/methods/cfg_ipf -u

3. When NAT is enabled (or when packet forwarding is expected), ipforwarding

needs to be enabled on the system.

# no -o ipforwarding=1

All the commands like ipfstat, ipnat, etc. reside in /usr/sbin directory.

Kernel extension itself resides in /usr/lib/drivers (as 'ipf')."

Error messages

When the kernext is not loaded:

# ipfstat -in

open(IPSTATE_NAME): No such file or directory

# ipf -V

ipf: IP Filter: v4.1.13 (480)

open device: No such file or directory

Version 5.3.0.0 on 7.1: I'm getting these errors on my Gigabit interface running in auto-negotiation since the kernel module has been loaded (no filters in effect):

LABEL:          GOENT_TX_ERR

IDENTIFIER:     4FC185D1

...

VPD:             

      2-Port 10/100/1000 Base-TX PCI-X Adapter:

        Network Address.............0011112233445566

        ROM Level.(alterable).......DV0210

Description

TRANSMIT FAILURE

        Recommended Actions

        PERFORM PROBLEM DETERMINATION PROCEDURES

Detail Data

FILE NAME

line: 1985 file: goent_tx.c

...

On another system, I found the following problems while packet filtering was in effect:

- 'flapping' name resolution: remote hosts are sometimes OK, sometimes unresolvable from external (ISP) nameservers

- every second outgoing ping fails with 'sendto: The file access permissions do not allow the specified action'

- eventually the traffic got blocked even on the allowed ports

- all the above on ipfl.rte version 5.3.0.0 AIX 5.3 TL10 (up to date at the time of occurrence)

- none of the mentioned problems occurred without ipf neither before nor afterwards

Configuration

Kernel extension and special devices

Load

# /usr/lib/methods/cfg_ipf -l

Major 24

devno 0

Query

# /usr/lib/methods/cfg_ipf -q

Major 24

devno 0

Kernel module ID: 1353592832

# genkex | grep ipf

         6790000    40000 /usr/lib/drivers/ipf

# ls -ltr /dev/ip*

crw-------    2 root     system       23,  0 Aug 30 16:46 /dev/ipldevice

crw-rw----    2 root     system       10,  1 Aug 30 16:46 /dev/ipl_blv

crw-------    1 root     system       24,  2 Oct 09 15:41 /dev/ipstate

crw-------    1 root     system       24,  1 Oct 09 15:41 /dev/ipnat

crw-------    1 root     system       24,  0 Oct 09 15:41 /dev/ipl

crw-------    1 root     system       24,  3 Oct 09 15:41 /dev/ipauth

crw-------    1 root     system       24,  4 Oct 09 15:41 /dev/ipsync

crw-------    1 root     system       24,  5 Oct 09 15:41 /dev/ipscan

crw-------    1 root     system       24,  6 Oct 09 15:41 /dev/iplookup

IP Filter

List filters in effect for input

# ipfstat -i

empty list for ipfilter(in)

List general statistics

# ipfstat

bad packets:            in 0    out 0

 input packets:         blocked 0 passed 262 nomatch 201 counted 0 short 0

output packets:         blocked 0 passed 169 nomatch 16 counted 0 short 0

 input packets logged:  blocked 0 passed 0

output packets logged:  blocked 0 passed 0

 packets logged:        input 0 output 0

 log failures:          input 0 output 0

fragment state(in):     kept 0  lost 0  not fragmented 0

fragment state(out):    kept 0  lost 0  not fragmented 0

packet state(in):       kept 0  lost 0

packet state(out):      kept 0  lost 0

ICMP replies:   0       TCP RSTs sent:  0

Invalid source(in):     0

Result cache hits(in):  61      (out):  153

IN Pullups succeeded:   0       failed: 0

OUT Pullups succeeded:  0       failed: 0

Fastroute successes:    0       failures:       0

TCP cksum fails(in):    0       (out):  0

IPF Ticks:      0

Packet log flags set: (0)

        none

Example: Port redirection with ipnat

Load the kernel extension first.

Edit the config file (filename is optional, I use /etc/ipnat.conf)

I wanted to redirect port 443 on interface en1 to port 22:

rdr en1 0/0 port 443 -> 127.0.0.1 port 22 tcp/udp

Flush previous filters as necessary

# ipnat -FC

0 entries flushed from NAT table

0 entries flushed from NAT list

Test and load configuration

# ipnat -nf /etc/ipnat.conf

# ipnat -f /etc/ipnat.conf

List active filters

# ipnat -l

List of active MAP/Redirect filters:

rdr en1 0.0.0.0/0 port 443 -> 127.0.0.1 port 22 tcp/udp

List of active sessions:

RDR 127.0.0.1       22    <- -> 10.6.101.171   443   [94.228.106.9 36832]

Make sure the setting is permanent by following the IBM document (inittab entry) or creating a script for sysvinit (rc2.d)

Note that you do NOT need to set 'no -p -o ipforwarding=1' for the redirection to work.

Example: Packet filtering with ipf

The syntax is the same as with the stock ipfilter. The rules can be tested with 'ipf -nf /your/conffile' and loaded with 'ipf -f /your/conffile'.

block in all

block in quick all with ipopts

pass out on en0 from any to any keep state

pass in on en0 proto tcp from any to any port = 22 flags S/SA keep state

pass in on en0 proto icmp from any to any icmp-type echo

pass in on en0 proto icmp from any to any icmp-type echorep