ä      :)    ,      :

• TCP/IP v4.1 Security -   (þ §)
• ¡   (þ ¡Ó)

• A Comprehensive Guide to Virtual Private Networks, Volume I: IBM Firewall, Server and Client Solutions (sg245201.pdf)
• A Secure Way to Protect Your Network: IBM SecureWay Firewall for AIX V4.1 (sg245855.pdf)
• Protect and Survive Using IBM Firewall 3.1 for AIX (sg242577.pdf)

þ  ,   ,           . î   ,           ,    ,   . ¡      

é,  TCPIP 4.1  ïS/2 (   MPTN 5.3)  IBM  FireWall,     . ë ,  ,    FireWall  ,   . ð FireWall :

• §: ä   
• § SA: §, .
• ¡ IPSec: þ (AH  ESP)
• § : RFC 18xx
• : þ (, , /, /)
• § AH: MD5  
• § ESP: CDMF
• ô: ìþô  í
• ä : æ  

ô   ,     FireWall-:

1. ¡   config.sys ,     -  :

 SET FWERROR=C:\MPTN\ETC\SECURITY\LOGS
 SET FWLOGS=C:\MPTN\ETC\SECURITY\LOGS

 DEVICE=C:\MPTN\PROTOCOL\IPSEC.SYS
 DEVICE=C:\MPTN\PROTOCOL\FWIP.SYS
 DEVICE=C:\MPTN\PROTOCOL\CDMF.SYS
 DEVICE=C:\MPTN\PROTOCOL\MD5.SYS

 RUN=C:\MPTN\BIN\FSSD.EXE
 CALL=C:\MPTN\BIN\CFGFILT.EXE -u -i -d

2. ô  :

¡:

 172.16.2.14

¡:

 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 any 0 both both both l=no f=yes t=0

%ETC%\fwlog.cnf --  :

 10: Debug
 20: é
 30: ¡
 40: ï
 50: §

 level=20

è        ,   :

•   level=10       cfgfilt    FireWall-;
•    ,   ,  20,     -- 30. ô,         ,   ,      20. é,       ,       !

•     20;
•      ,     ,  þôåçäá    - (. 5.14);
•     FireWall- "FirewallConfig/2" (. 6).

þ ,    ,     fwerror.err,     ,    FWERROR   %ETC%\.

3. å    ,    1.3,   FireWall- :

 detach fssd
 cfgfilt -u -i -d

4. ï :

 cfgfilt.exe [-c] [-u [-i]] [-f [file]] [-d [{start|stop}]] [-m [#]] [-p [port#]]

ï:
-c ï       - (Ó );
-d þ (start)   (stop)  . ¡  .
-f ¡  ;
-i é . ä    -u;
-m í    Real Audio;
-p ¡ Real Audio;
-u    ,   %ETC%\security\fwfiltrs.cnf;

inetcfg -    (inetcfg -s firewall 1)   (inetcfg -s firewall 0)  FireWall-.

cfgfilt     FireWall.

fssd -   .

fwlslog -     .

5. ï  fwfiltrs.cnf

1. î   -   ;
2. î   -  ;
3. ë  . ¡    .

ô    ,  :

1) § :

deny - ;
permit - .

2,3) á  :

ä :   . í    : ä  x.y.z.u    0xFFFFFFFF.

4,5) á  :

ô. 2,3

6) ¡. §  IP :

all -  ;
icmp -   ICMP;
udp -   UDP;
tcp -   TCP;
tcp/ack -   TCP    "acknowledgment";
ipsp -  IPSP (,  IBM  ).

7,8) ¡ /§ ICMP:

¡    ,    ( ICMP   ICMP). þ   : any(), eq(=), neq(<>), lt(<), gt(>), le(<=), ge (>=).

9,10) ¡ /ë ICMP:

é ,   . ä ICMP    ë ICMP.

11) á. § :

secure - ;
non-secure -  ;
both - ;

12) í:

ï       . þ :

local -       ;
route -     ;
both -  ;

13) î:

ï / :

inbound - ;
outbound - ;
both -  .

þ! î     =. ¡:

 deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 icmp eq 8 any 8 both both inbound l=yes f=only t=0 

ï    ,    .

yes -  ( -   );
no -   ( -   ).

15) ë . é  "f" ():

yes -  ,    ;
no -    ;
only -     .

16) éä . é  "t" ():

ï ,    .  0    .

6. î FireWall-

ì       FireWall- "FirewallConfig/2, Created by sehh"   "ServerConfig/2".

¡: î         . æ    !

ä   IP   -- 172.16.2.14,     -- 255.255.0.0. ô  fwsecad.cnf:

 172.16.2.14 

 permit 172.16.1.7 255.255.255.255 172.16.2.14 255.255.255.255 all any 0 eq 23 both both both
 deny 0.0.0.0 0.0.0.0 172.168.2.14 255.255.255.255 all any 0 eq 23 both both both

 deny 0.0.0.0 0.0.0.0 172.16.2.14 255.255.255.255 icmp eq 8 any 0 both both both

 #define ICMP_ECHOREPLY 0 /* echo reply */
 #define ICMP_UNREACH 3 /* dest unreachable */
 #define ICMP_SOURCEQUENCH 4 /* packet lost, slow down */
 #define ICMP_REDIRECT 5 /* shorter route */
 #define ICMP_ECHO 8 /* echo service */
 #define ICMP_TIMXCEED 11 /* time exceeded */
 #define ICMP_PARAMPROB 12 /* ip header bad */
 #define ICMP_TSTAMP 13 /* timestamp request */
 #define ICMP_TSTAMPREPLY 14 /* timestamp reply */
 #define ICMP_IREQ 15 /* information request */
 #define ICMP_IREQREPLY 16 /* information reply */
 #define ICMP_MASKREQ 17 /* address mask request */
 #define ICMP_MASKREPLY 18 /* address mask reply */

 permit 0.0.0.0 0.0.0.0 172.16.2.14 255.255.255.255 all any 0 eq 23 both both both l=yes 

á ë

ä | î | ç  | ¡   | î  | ¡ | OS/2 FAQ | þ |   ¡ | í | #OS2Russian | RDM/2 | þÓ  | î  | ä  | ë  | ¡ïéôë | æï¤÷í