SEO

We need to start restricting what subnets and IP addresses can access
particular AIX servers.
At this stage we don't need to get down to the port level.

I was looking at using IP Tables but thought there was something else
that might work?

On Jan 7, 10:49*am, Scottz <[email protected]> wrote:
> We need to start restricting what subnets and IP addresses can access
> particular AIX servers.
> At this stage we don't need to get down to the port level.
>
> I was looking at using IP Tables but thought there was something else
> that might work?

I'm thinking of tcpd but haven't found any pre-compiled flavors of it
yet.

Anybody have any experience with tcpd on AIX?

On Jan 8, 8:33 am, Scottz <[email protected]> wrote:
> On Jan 7, 10:49 am, Scottz <[email protected]> wrote:
>
> > We need to start restricting what subnets and IP addresses can access
> > particular AIX servers.
> > At this stage we don't need to get down to the port level.
>
> > I was looking at using IP Tables but thought there was something else
> > that might work?
>
> I'm thinking of tcpd but haven't found any pre-compiled flavors of it
> yet.
>
> Anybody have any experience with tcpd on AIX?

ipsec ?

On Jan 7, 1:22*pm, Henry <[email protected]> wrote:
> On Jan 8, 8:33 am, Scottz <[email protected]> wrote:
>
> > On Jan 7, 10:49 am, Scottz <[email protected]> wrote:
>
> > > We need to start restricting what subnets and IP addresses can access
> > > particular AIX servers.
> > > At this stage we don't need to get down to the port level.
>
> > > I was looking at using IP Tables but thought there was something else
> > > that might work?
>
> > I'm thinking of tcpd but haven't found any pre-compiled flavors of it
> > yet.
>
> > Anybody have any experience with tcpd on AIX?
>
> ipsec ?

Have read that you can use the ipsec package to do packet filtering
without having to use IPv6 protocols.
That seems to be a bit more intensive than what we were looking for
but will look into it further.

Found tcpd is part of the tcp wrapper package which is included on the
AIX Expansion Pack ( netsec.options ).

On Mon, 7 Jan 2008 10:49:24 -0800 (PST), Scottz <[email protected]>
wrote:

>
>We need to start restricting what subnets and IP addresses can access
>particular AIX servers.
>At this stage we don't need to get down to the port level.
>
>I was looking at using IP Tables but thought there was something else
>that might work?
>

If all your connecting users are in-house then you can try to use
tcpwrappers. This is a program coded into your inetd.conf fine and
allows you to specify specific criter for each service (i.e.:
allowable IP's, user, etc).

Try man tcpwrappers or search tcpwrappers on AIX support sites.

Worth a look.

Bob

Scottz <[email protected]> wrote:
S>On Jan 7, 1:22?pm, Henry <[email protected]> wrote:
>> On Jan 8, 8:33 am, Scottz <[email protected]> wrote:
>>
>> > On Jan 7, 10:49 am, Scottz <[email protected]> wrote:
>>
>> > > We need to start restricting what subnets and IP addresses can access
>> > > particular AIX servers.
>> > > At this stage we don't need to get down to the port level.
>>
>> > > I was looking at using IP Tables but thought there was something else
>> > > that might work?
>>
>> > I'm thinking of tcpd but haven't found any pre-compiled flavors of it
>> > yet.
>>
>> > Anybody have any experience with tcpd on AIX?
>>
>> ipsec ?
S>
S>Have read that you can use the ipsec package to do packet filtering
S>without having to use IPv6 protocols.
S>That seems to be a bit more intensive than what we were looking for
S>but will look into it further.
S>
S>Found tcpd is part of the tcp wrapper package which is included on the
S>AIX Expansion Pack ( netsec.options ).
S>

Unfortunately and AFAIK, iptables is a Linux-only implement, and yes, ipsec
is an overkill for your purposes.

tcpwrappers is a great little tool and does IP filtering in user-land. It
can be used to handle filtering on a per service base for all that inetd
serves; others will have to be recompiled and linked to libwrap.a (such as
sshd).

Scottz wrote:
> On Jan 7, 1:22 pm, Henry <[email protected]> wrote:
>> On Jan 8, 8:33 am, Scottz <[email protected]> wrote:
>>
>>> On Jan 7, 10:49 am, Scottz <[email protected]> wrote:
>>>> We need to start restricting what subnets and IP addresses can access
>>>> particular AIX servers.
>>>> At this stage we don't need to get down to the port level.
>>>> I was looking at using IP Tables but thought there was something else
>>>> that might work?
>>> I'm thinking of tcpd but haven't found any pre-compiled flavors of it
>>> yet.
>>> Anybody have any experience with tcpd on AIX?
>> ipsec ?
>
> Have read that you can use the ipsec package to do packet filtering
> without having to use IPv6 protocols.
> That seems to be a bit more intensive than what we were looking for
> but will look into it further.
>
> Found tcpd is part of the tcp wrapper package which is included on the
> AIX Expansion Pack ( netsec.options ).
>
Remember, anything on the expansion pack is not supported. IPfilter
also comes on the expansion pack and I had a problem with kernel panics
with it. Thinking that it was supported, I opened a PMR. Once they
found out it was ipfilter, they closed the PMR with a "good luck with
that". I later went to ipsec, which is supported.

Scottz schrieb:

> I'm thinking of tcpd but haven't found any pre-compiled flavors of it
> yet.

Try the steering page

http://www.gsi.de/~bio/DOCS/AIX/aixp..._wrappers.html

it can also be built from the sources relatively easy.

"0xdeadabe" <[email protected]> wrote in message
news:[email protected]...
> Scottz wrote:
>> On Jan 7, 1:22 pm, Henry <[email protected]> wrote:
>>> On Jan 8, 8:33 am, Scottz <[email protected]> wrote:
>>>
>>>> On Jan 7, 10:49 am, Scottz <[email protected]> wrote:
>>>>> We need to start restricting what subnets and IP addresses can access
>>>>> particular AIX servers.
>>>>> At this stage we don't need to get down to the port level.
>>>>> I was looking at using IP Tables but thought there was something else
>>>>> that might work?
>>>> I'm thinking of tcpd but haven't found any pre-compiled flavors of it
>>>> yet.
>>>> Anybody have any experience with tcpd on AIX?
>>> ipsec ?
>>
>> Have read that you can use the ipsec package to do packet filtering
>> without having to use IPv6 protocols.
>> That seems to be a bit more intensive than what we were looking for
>> but will look into it further.
>>
>> Found tcpd is part of the tcp wrapper package which is included on the
>> AIX Expansion Pack ( netsec.options ).
>>
> Remember, anything on the expansion pack is not supported. IPfilter also
> comes on the expansion pack and I had a problem with kernel panics with
> it. Thinking that it was supported, I opened a PMR. Once they found out
> it was ipfilter, they closed the PMR with a "good luck with that". I
> later went to ipsec, which is supported.

Statement above is not totally correct. OpenSSH is found on the expansion
pack and is fully supported.
Seems odd that ipfilter would not be supported by IBM (as long as it is not
in the Linux Toolbox, which is not supported).

Mark van Huijstee wrote:
>
>
> "0xdeadabe" <[email protected]> wrote in message
> news:[email protected]...
>> Scottz wrote:
>>> On Jan 7, 1:22 pm, Henry <[email protected]> wrote:
>>>> On Jan 8, 8:33 am, Scottz <[email protected]> wrote:
>>>>
>>>>> On Jan 7, 10:49 am, Scottz <[email protected]> wrote:
>>>>>> We need to start restricting what subnets and IP addresses can access
>>>>>> particular AIX servers.
>>>>>> At this stage we don't need to get down to the port level.
>>>>>> I was looking at using IP Tables but thought there was something else
>>>>>> that might work?
>>>>> I'm thinking of tcpd but haven't found any pre-compiled flavors of it
>>>>> yet.
>>>>> Anybody have any experience with tcpd on AIX?
>>>> ipsec ?
>>>
>>> Have read that you can use the ipsec package to do packet filtering
>>> without having to use IPv6 protocols.
>>> That seems to be a bit more intensive than what we were looking for
>>> but will look into it further.
>>>
>>> Found tcpd is part of the tcp wrapper package which is included on the
>>> AIX Expansion Pack ( netsec.options ).
>>>
>> Remember, anything on the expansion pack is not supported. IPfilter
>> also comes on the expansion pack and I had a problem with kernel
>> panics with it. Thinking that it was supported, I opened a PMR. Once
>> they found out it was ipfilter, they closed the PMR with a "good luck
>> with that". I later went to ipsec, which is supported.
>
> Statement above is not totally correct. OpenSSH is found on the
> expansion pack and is fully supported.
> Seems odd that ipfilter would not be supported by IBM (as long as it is
> not in the Linux Toolbox, which is not supported).

I should have stated that is what I was told by IBM tech support, and
also got that in an "AIX for UNIX Professionals" class. The statement
was not my own. If there is a link to an exact support matrix, I would
surely like to have it.

I have been using SSH under the assumption of it being unsupported,
simply because I have never had problems with it, even on exotic
platforms that I needed to build it from source. That said, I have
noticed that SSH is installed in the latest versions of VIO server.
That tells me that support is there now.