Adds, removes, lists, or queries rules, flags and security labels for interfaces and hosts.
netrule hq { i | o } src_host_rule_specification dst_host_rule_specification
netrule h- [ i | o ][u] [ src_host_rule_specification dst_host_rule_specification ]
netrule h+ { i | o } [ u ] src_host_rule_specification dst_host_rule_specification [ flags ][ RIPSO/CIPSO options ] security_label_information
netrule i+ [ u ] interface [ flags ][ RIPSO/CIPSO options ] security_label_information
The netrule command lists, queries, adds and removes rule specifications for interfaces and hosts. The system default interface rules are set using the interface name. When an interface is removed using the i- flag, it will be given these default interface rules. The default interface rules are also set using the tninit load command.
Item | Description |
---|---|
e { on | off } | Sets the policy for sending the ICMP error response to incoming packets that are not accepted by the system. This setting is off by default and must be set with this flag to be on. You cannot specify the e flag when you specify the h or i flag. |
h | Specifies that the object of the netrule command is a host. You cannot specify the h flag when you specify the i or e flag. |
i | Specifies that the object of the netrule command is an interface. You cannot specify the i flag when you specify the h or e flag. |
l | Lists all rules for interfaces or hosts. |
o | Specifies the host out rules (for host rule only). |
q | Queries an interface, a host rule, or the status of the error response setting. |
u | Specifies that the /etc/security/rules.host and /etc/security/rules.int files will be updated after the host or interface rule is successfully added or removed. |
+ | Adds an interface or a host rule. |
- | Removes an interface or a host rule. |
interface | Specifies an interface name. |
src_host_rule_specification | This parameter takes the following format:
Requirement: There is a space or tab in between
each field.
|
dst_host_rule_specification | This parameter takes the following format:
Requirement: There is a space or tab in between
each field.
|
flags | This parameter takes the following format:
|
RIPSO/CIPSO options | This parameter takes the following format:
|
security_label_information | This parameter takes the following format:
|
A user must have the aix.mls.network.config and the aix.mls.network.init authorizations to run the netrule command.
netrule h+iu 9.3.149.25 9.41.86.19 +impl_lo +ts all +pub
netrule h+o 9.41.86.19 9.3.149.25 -s /tmp/rule
or:
impl_lo
ts all
pub
impl_lo
ts \
all
pub
netrule h+i 192.0.0.5 =udp 9.41.86.19 =udp -dr +impl_lo +impl_lo +impl_lo
netrule h-u
netrule hl
netrule il
netrule i+ en0 -dn -fa:n +public +ts +secret
netrule h-i 192.0.0.5 =udp 9.41.86.19 =udp
netrule h+i 9.41.86.19 /24 =tcp :ftp :telnet 9.3.149.6 /28 +public +ts +secret
netrule i+ default -dn -fa:n +impl_lo +ts all +impl_lo
netrule i- default
netrule i+ en0 -fc:c +impl_lo +ts all +impl_lo
netrule i+ en0 -fe:r -rpafs=SCI,NSA+DOE -epaf=SCI -tpaf=NSA -DOI=0x010
-tags=1,2 +impl_lo +ts all +impl_lo
netrule e on