netrule Command

Purpose

Adds, removes, lists, or queries rules, flags and security labels for interfaces and hosts.

Syntax

netrule h l [ i | o | i o ]

netrule h q { i | o } src_host_rule_specification dst_host_rule_specification

netrule h - [ i | o ][u] [ src_host_rule_specification dst_host_rule_specification ]

netrule h + { i | o } [ u ] src_host_rule_specification dst_host_rule_specification [ flags ][ RIPSO/CIPSO options ] security_label_information

netrule i l

netrule i q interface

netrule i - [ u ][interface ]

netrule i + [ u ] interface [ flags ][ RIPSO/CIPSO options ] security_label_information

netrule e q

netrule e { on | off }

Description

The netrule command lists, queries, adds and removes rule specifications for interfaces and hosts. The system default interface rules are set using the interface name. When an interface is removed using the i- flag, it will be given these default interface rules. The default interface rules are also set using the tninit load command.

Note: Because there must always be an interface rule for an interface, the remove operation sets the interface rule to its default state. All of the command line flags must follow the order as shown in the syntax statements.

Flags

Item	Description
e { on \| off }	Sets the policy for sending the ICMP error response to incoming packets that are not accepted by the system. This setting is off by default and must be set with this flag to be on. You cannot specify the e flag when you specify the h or i flag.
h	Specifies that the object of the netrule command is a host. You cannot specify the h flag when you specify the i or e flag.
i	Specifies that the object of the netrule command is an interface. You cannot specify the i flag when you specify the h or e flag.
l	Lists all rules for interfaces or hosts.
o	Specifies the host out rules (for host rule only).
q	Queries an interface, a host rule, or the status of the error response setting.
u	Specifies that the /etc/security/rules.host and /etc/security/rules.int files will be updated after the host or interface rule is successfully added or removed.
+	Adds an interface or a host rule.
-	Removes an interface or a host rule.
interface	Specifies an interface name.
src_host_rule_specification	This parameter takes the following format: `src_host [/ mask][ = proto [:start_port_range [:end_port_range]]]` Requirement: There is a space or tab in between each field. src_host A source IPv6 address, or an IPv4 address, or a host name. mask The subnet mask number indicates how many bits are set, starting from the most significant bit. For example, 24 means 255.255.255.0 for an IPv4 address. proto A protocol. start_port_range A particular port number or name to begin from. end_port_range A particular port number or name to end at.
dst_host_rule_specification	This parameter takes the following format: `dst_host [/ mask][ = proto [:start_port_range [:end_port_range]]]` Requirement: There is a space or tab in between each field. dst_host A destination IPv6 address, or an IP v4 address, or a host name. mask The subnet mask number, which indicates how many bits are set, starting from the most significant bit. For example, 24 means 255.255.255.0 for an IPv4 address. proto A protocol. start_port_range A particular port number or name to begin in range from. end_port_range A particular port number or name to end at.
flags	This parameter takes the following format: `-d drop` drop AIX® Trusted Network can be configured to drop all packets. You can specify one of the following values: r Drops all packets n Does not drop all packets (interface default). i Uses interface default (host default, host only). `-f rflag:tflag` rflags Security option requirement on incoming (received) packets. You can specify one of the following values: r Revised Interconnection Protocol Security Option (RIPSO) only. c Commercial Internet Protocol Security Option (CIPSO) only. e Either RIPSO or CIPSO. n Neither RIPSO or CIPSO (system default). a No restrictions. i Uses interface or system default (default). tflag Security option handling on outgoing (transmitted) packets. You can specify one of the following values: r Transmits RIPSO. c Transmits CIPSO. n Does not transmit any security options (interface default). i Uses interface default (host default, host only).
RIPSO/CIPSO options	This parameter takes the following format: -rpafs=PAF_field[,PAF_field...] Specifies the PAF fields that are used to receive IPSO packets. This is a list of PAF fields that are accepted. There can be up to 256 fields. PAF_field: NONE \| PAF [+PAF...] Specifies PAF fields, which are collections of PAFs. The following are the five PAFs that can be included in a single PAF field: GENSER SIOP-ESI SCI NSA DOE A PAF field is a combination of these values separated by a plus sign (+). For example, a PAF field containing both GENSER and SCI is represented as GENSER+SCI. You can use the PAF field NONE to specify the PAF field without any specified PAFs. -epaf=PAF_field Specifies the PAF field that is attached to error responses for incoming IPSO packets that were not accepted by the system. -tpaf=PAF_field Specifies the PAF field that is included in the IPSO options of outgoing packets. -DOI = doi Specifies the domain of interpretation (DOI) for CIPSO packets. Incoming packets must have this DOI and outgoing packets will be given this DOI. -tags=tag[,tag...] `tag = 1 \| 2 \| 5` Specifies the set of tags that are accepted and available to be transmitted by CIPSO options. This is a combination of 1, 2 and 5. For example 1,2 would enable tags 1 and 2.
security_label_information	This parameter takes the following format: +min +max +default \| -s input_file Specifies the standard output (SL) that will apply when adding a rule. You can also specify the -s flag and include the SLs in the file in the following order, specifying one per line: min SL max SL default SL You cannot include any comments in the file. Use a backslash (\) at the end of the line if more than one line is needed. If you are not using a file, list the sensitivity labels delimited by a plus sign (+) for the minimum level, the maximum level, and the default or implicit level for unmarked packets.

Security

A user must have the aix.mls.network.config and the aix.mls.network.init authorizations to run the netrule command.

Examples

To add in host rule, and update the local database after in host rule is successfully added to kernel, enter:
```
netrule h+iu 9.3.149.25 9.41.86.19 +impl_lo +ts all +pub
```

To add out host rule, enter:

netrule h+o 9.41.86.19  9.3.149.25 -s /tmp/rule

or:

impl_lo
ts all
pub

The following are the contents of the input /tmp/rule file:

impl_lo
ts \
all
pub

To drop all incoming UDP packets from a host, enter:

netrule h+i 192.0.0.5 =udp 9.41.86.19 =udp -dr +impl_lo +impl_lo +impl_lo

To remove all host rules and update the local, enter:
```
netrule h-u
```
To list all host rules, enter:
```
netrule hl
```
To list all interface rules, enter:
```
netrule il
```

To add an interface rule, enter:

netrule i+ en0 -dn -fa:n +public +ts +secret

To remove a particular host rule, enter:

netrule h-i 192.0.0.5 =udp 9.41.86.19 =udp

To add a particular host rule, enter:

netrule h+i 9.41.86.19 /24 =tcp :ftp :telnet 9.3.149.6 /28 +public +ts +secret

To set the default interface rule, enter:

netrule i+ default -dn -fa:n +impl_lo +ts all +impl_lo

To set the default interface rule to the system drop-all-packets default, enter:
```
netrule i- default
```
To set the interface to send and only receive CIPSO packets, enter:
```
netrule i+ en0 -fc:c +impl_lo +ts all +impl_lo
```
To set the interface to receive either CIPSO or RIPSO packets and send RIPSO packets with PAF values, a CIPSO DOI, and CIPSO flags, enter:
```
netrule i+ en0 -fe:r -rpafs=SCI,NSA+DOE -epaf=SCI -tpaf=NSA -DOI=0x010 
-tags=1,2 +impl_lo +ts all +impl_lo
```
To set the system-wide policy for sending ICMP responses on incoming packets that are not valid, enter:
```
netrule e on
```