mailing list archives
IBM AIX Packet Filter module
From: brummie () SECURE I1 NET (Brumbles)
Date: Mon, 25 Oct 1999 14:45:19 -0500
I have tried unsuccessfully to get any response from IBM on the following,
apparently unless you have a support contract you cant report bugs..
(well.. you can.. "Program Services", but thats a link to /dev/null
Packet Filtering Module, in particular the command genfilt does not allow
the addition of filters with port numbers greater than 32767
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 \
-c udp -o any -O eq -P 123 -l n -w I -i all
Works fine... but...
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c udp \
-o any -O eq -P 32768 -l n -w I -i all
Bad destination port/ICMP type "32768".
All is well if you use port 32767.
Simply put, the -P (port) parameter will not accept an argument greater
Obviously there are a lot of things above 32768 that you might want to filter,
e.g. rstatd. and other RPC programs, and also if I wanted to ensure that
my users arent opening up any services that sit on high ports, they can
circumvent any protection I layer on top by starting their service above
As the AIX4.3.2 packet filtering module is based upon the commercial IBM
firewall, I would be very interested to see if this weakness also exists
in that product.
I believe this opens up a security problem for anyone using the AIX
filtering that wants to continue using RPC on an internal interface, but
wishes to present only certain ports to an external side.