Posts tagged ·

tcpip

·...

November 18, 2010 4:37 pm

How to disable IPV6 on AIX 5.3 and 6.1

Comments Off
by    in AIX

1. Delete the localhost IPv6 from lo0

root [AIX Servers] /: lsattr -El lo0
mtu           16896     Maximum IP Packet Size for This Device     True
netaddr       127.0.0.1 Internet Address                           True
netaddr6      ::1       IPv6 Internet Address                      True
netmask                 Subnet Mask                                True
prefixlen               IPv6 Alias including Prefix Length         True
rfc1323                 Enable/Disable TCP RFC 1323 Window Scaling True
state         up        Current Interface Status                   True
tcp_mssdflt             Set TCP Maximum Segment Size               True
tcp_nodelay             Enable/Disable TCP_NODELAY Option          True
tcp_recvspace           Set Socket Buffer Space for Receiving      True
tcp_sendspace           Set Socket Buffer Space for Sending        True
root [AIX Servers] /: chdev -l lo0 -a netaddr6=''
lo0 changed
root [AIX Servers] /: lsattr -El lo0
mtu           16896     Maximum IP Packet Size for This Device     True
netaddr       127.0.0.1 Internet Address                           True
netaddr6                IPv6 Internet Address                      True
netmask                 Subnet Mask                                True
prefixlen               IPv6 Alias including Prefix Length         True
rfc1323                 Enable/Disable TCP RFC 1323 Window Scaling True
state         up        Current Interface Status                   True
tcp_mssdflt             Set TCP Maximum Segment Size               True
tcp_nodelay             Enable/Disable TCP_NODELAY Option          True
tcp_recvspace           Set Socket Buffer Space for Receiving      True
tcp_sendspace           Set Socket Buffer Space for Sending        True
root [AIX Servers] /:
root [AIX Servers] /: ifconfig -a
en0: flags=5e080863,c0<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),PSEG,LARGESEND,CHAIN>
 inet 59.30.4.9 netmask 0xffffff00 broadcast 59.30.4.255
 tcp_sendspace 131072 tcp_recvspace 65536 rfc1323 0
lo0: flags=e08084b<UP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
 inet 127.0.0.1 netmask 0xff000000 broadcast 127.255.255.255
 inet6 ::1/0
 tcp_sendspace 131072 tcp_recvspace 131072 rfc1323 1
root [AIX Servers] /: ifconfig lo0 inet6 ::1/0 delete
root [AIX Servers] /: ifconfig -a
en0: flags=5e080863,c0<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),PSEG,LARGESEND,CHAIN>
 inet 59.30.4.9 netmask 0xffffff00 broadcast 59.30.4.255
 tcp_sendspace 131072 tcp_recvspace 65536 rfc1323 0
lo0: flags=e08084b<UP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
 inet 127.0.0.1 netmask 0xff000000 broadcast 127.255.255.255
 tcp_sendspace 131072 tcp_recvspace 131072 rfc1323 1
root [AIX Servers] /:

2. Remove IPv6 from net services file /etc/netsvc.conf.

Edit /etc/netsvc.conf
The default, on AIX, is thus:
hosts=local,bind
Replace this with:
hosts = local4,bind4
to deactivate searching for IPv6 addresses.
No newline at end of file
tags: , , ,
Comments Off
June 9, 2010 11:01 am

A good read on “Deep-protocol analysis of UNIX networks”

Comments Off
by    in network

Summary: Whether you are monitoring your network to identify performance issues, debugging an application, or have found an application on your network that you do not recognize, occasionally you need to look deep into the protocols being used on your UNIX® network to understand what they are doing. Some protocols are easy to identify and understand, even when used on non-standard ports. Others need more investigation to understand what they are doing and what information they are exchanging. In this article, we will take a look at techniques for performing detailed analysis of the protocols in use on your UNIX network.

Read on:  Deep-protocol analysis of UNIX networks

Or download the PDF format here.  <<Deep-protocol analysis of UNIX networks PDF>>

tags: , , , , , , , , , , , , ,
Comments Off
April 24, 2010 12:20 pm

An IPFilter for AIX FAQ

1 comment
by    in AIX

 Technote (FAQ)
 
Question
An IPFilter for AIX FAQ
 
Answer
What is IPFilter?
IPFilter is a software package that can be used to provide network address translation (NAT) or firewall services.

Is IPFilter supported on AIX?
IPFilter is shipped and supported on AIX 5.3 TL5 and later.
The fileset name is "ipfl.rte" and can be found on AIX 5.3 TL5 and later Expansion Pack CD #2.

After installing IPFilter software from Expansion Pack CD, you should see this:
# lslpp -l | grep ipf
  ipfl.man.en_US             5.3.0.0  COMMITTED  IP Filters Documentation -
  ipfl.rte                   5.3.0.0  COMMITTED  IP Filters

Do I need to reboot after installing IPFilter?
No.

Where is documentation for IPFilter?
Here's the AIX Infocenter page for IPFilter:
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/ipsec_filters_aix.htm

The most useful source of information for IPFilter is here:
http://coombs.anu.edu.au/~avalon/

Show me how to use IPFilter to block something
Here's an example of using IPFilter to block all incoming telnet and FTP requests:
- Create an IPFilter file and add the lines below to it, i.e.:
# cat /etc/ipf.conf
# This rule blocks all inbound telnet attempts
block in quick proto tcp from any to any port = telnet
# This rule blocks all inbound ftp attempts
block in quick proto tcp from any to any port = ftp

- Load the IPFilter kernel extension
# /usr/lib/methods/cfg_ipf -l

- Load the IPFilter rules (assuming your IPFilter table is /etc/ipf.conf)
# ipf -f /etc/ipf.conf

- Test by trying to telnet or ftp into the system
-- Your attempts should hang (assuming you have telnet and ftp enabled)

- Unload the kernel extension
# /usr/lib/methods/cfg_ipf -u

- Test by trying to telnet and ftp into the system again
-- Your attempts should succeed

Where can I learn more about how to use IPFilter?
On the Internet, specifically starting from here:
http://coombs.anu.edu.au/~avalon/

How do I start and load IPFilter at boot time?
- Create a script, like this:
# cat /etc/ipf.sh
#!/bin/ksh
# Load IPFilter into kernel
/usr/lib/methods/cfg_ipf -l
# Load ipmon and log to syslog
/usr/sbin/ipmon -s -D
# Load IP filter Rules
/usr/sbin/ipf -Fa -f /etc/ipf.conf

- Add this entry to /etc/inittab file to execute above script at run level 2:
(assuming your script is /etc/ipf.sh)
ipf:2:once:/etc/ipf.sh

Can IPFilter activities be logged to syslogd?
Yes, if the following three conditions are met:
1. There is an IPFilter rule with "log" keyword specified, i.e.:
block in log from any to any
2. syslogd has been correctly configured and active
- This entry in /etc/syslog.conf will work
*.debug     /tmp/syslog.out
3. The ipmon daemon is running
# ipmon -s -D

Are there any differences/limitations with the AIX ported version of IPFilter?
According to AIX development:
"Other services like accounting, keep-state, authentication, are not verified as working in AIX yet"

So yes, there may be some features/limitations not fully working/supported yet on AIX.
 
 
 
tags: , , , ,
1 comment...
Older Posts »