See 135.cfgfilt.output in my DFS home directory for the output of a cfgfilt command, which dumps the Firewall active filters database. ======================================================================================== Secure Interfac 192.168.56.135 Non-Secure Interface 204.146.135.135 ======================================================================================== Network Objects: Number Name Address Mask Description ------ -------------- ------------ ------------- ----------------------- 502 Patent56 192.168.56.0 255.255.255.0 Patent subnet 56 503 AnySource 0.0.0.0 0.0.0.0 Any source Nntwork 504 AnyDestination 0.0.0.0 0.0.0.0 Any destination network 508 LoopBack 127.0.0.0 255.0.0.0 Loopback Network 509 al maden (sic) 9.1.0.0 255.255.0.0 Alamden Network 510 Broadcast 0.0.0.255 0.0.0.255 Broacdcast Address Host Objects: Number Name Address Mask Description ------ -------------- ------------ ------------- ----------------------- 505 Netview8 9.1.10.17 255.255.255.255 Netview interface 506 Netview24 9.1.24.81 255.255.255.255 Netview interface 24 507 adsm 9.1.10.26 255.255.255.25 adsm Service 511 CW 192.168.56.65 255.255.255.255 Control Workstation ======================================================================================== Rules: Source Destination Routing/Direction Number Name Action Protocol Port Port Adapter Log/Fragmentation ------ ----------------------------- ------ -------- ----- ----- ------- -------------------------- 14 Socks TCP Ack permit tcp/ack =1080 >1023 secure local/outbound/no /yes 28 Mail Ack permit tcp/ack =25 >1023 both local/both /no /yes 53 Socks TCP permit tcp >1023 =1080 secure local/inbound /no /yes 67 Mail permit tcp >1023 =25 both local/both /no /yes 82 DNS Server queries permit udp =53 =53 both local/both /no /yes 83 DNS Replies permit udp =53 >1023 both local/both /no /yes 86 DNS Client queries permit udp >1023 =53 both local/both /no /yes 92 SNMP query permit all >1023 =161 both local/both /no /yes 93 SNMP reply permit all =161 >1023 both local/both /no /yes 98 Socks deny deny tcp any =1080 non-secure both /both /yes/headers 102 All - deny any deny all any any both both /both /yes/yes 107 HTTP in 8080 permit tcp >1023 =1080 secure local/inbound /no /yes 108 HTTP response permit tcp/ack =8080 >1023 secure local/outbound/no /yes 110 SNMPTRAP permit all =161 =162 both local/outbound/no /yes 501 SSH 1/2 permit tcp any =22 secure local/inbound /no /yes 502 SSH ACK 1/2 permit tcp/ack =22 any secure local/outbound/no /yes 503 SSH in 2222 1/2 permit tcp any =2222 secure local/inbound /no /yes 504 SSH ACK in 2222 1/2 permit tcp/ack =2222 any secure local/outbound/no /yes 505 SSH Client permit tcp any =22 both local/outbound/no /yes 506 SSH Client Ack permit tcp/ack =22 any both local/inbound /no /yes 507 SSH Client in port 222 permit tcp any =2222 both local/outbound/no /yes 508 SSH Client Ack in port 2222 permit tcp/ack =2222 any both local/inbound /no /yes 510 HttpsToP56 permit tcp >1023 =443 secure local/outbound/no /yes 511 HttpsToP56Ack permit tcp/ack =443 >1023 secure local/inbound /no /yes 512 FaxToP56 permit tcp >1023 =7000 secure local/outbound/no /yes 513 FaxFwToP56 permit tcp/ack =7000 >1023 secure local/inbound /no /yes 514 HttpFwToP56(80) permit tcp >1023 =80 secure local/outbound/no /yes 515 HttpFwToP56Ack(80) permit tcp/ack =80 >1023 secure local/inbound /no /yes 516 HttpFwToP56(8080) permit tcp >1023 =8080 secure local/outbound/no /yes 517 HttpFwToP56Ack(8080) permit tcp/ack =8080 >1023 secure local/inbound /no /yes 520 ProxyNonSecrue permit tcp any =8080 non-secure local/inbound /no /yes 521 ProxyNonSecureAck permit tcp/ack =8080 any non-secure local/outbound/no /yes 522 SSHNonSecure permit tcp any =22 non-secure local/inbound /no /yes 523 SSHNonSecureAck permit tcp/ack =22 any non-secure local/outbound/no /yes 524 SSHNonSecure(2222) permit tcp any =2222 non-secure local/inbound /no /yes 525 SSHNonSecureAck(2222) permit tcp/ack =2222 any non-secure local/outbound/no /yes 526 AdsmAccess permit tcp any =1500 secure local/outbound/no /yes 527 ASDMAccessAck permit tcp/ack =1500 any secure local/inbound /no /yes 528 AnyPing permit icmp =8 =0 both local/both /no /yes 529 anyPing0 permit icmp =0 =0 both local/both /no /yes 530 NTPOk permit udp =123 =123 secure local/both /no /yes 531 DenyTelnet deny tcp any =21 non-secure local/inbound /yes/yes 532 DenyFtp deny tcp any =23 non-secure local/inbound /yes/yes 533 DenySyslog deny udp any =514 non-secure local/inbound /yes/headers 534 AllPermitHighPort permit tcp >1023 any both local/outbound/no /yes 535 AllPermitHighPortIn permit tcp any >1023 both local/inbound /no /yes 536 BroadcastOkSec permit udp any any secure both /both /no /yes 539 AllOk permit all any any secure local/both /no /yes 540 ICMP3Ok permit icmp =3 =3 secure local/both /no /yes 541 BigUdpOk permit udp >33484 >33484 secure local/both /no /yes ======================================================================================== Services: Number Name Rule Objects;Direction Description ------ ----------------- ---------------------- ----------------------------------------------------------- 2 Socks 1/2 53;i 14;o Permit use of Socks from secure network to the firewall 19 Mail 67;i 28;o Permit Mail traffic through firewall 20 DNS queries 82;i 86;i 83;i Permit DNS queries 32 SNMP query 92;i 93;o Permit SNMP query from SNMP manager 37 All shutdown 102;i 102;o Deny all packets (shutdown or debug) 41 HTTP proxy out 1/2 107;i 108;o Permit HTTP (port 8080) from secure network to the firewall 43 SNMP traps 110;o Permit SNMP Trap service 501 SSH Server 503;i 504;o 501;i 502;o Permit SSH connection from 56 to firewall 502 SSHClient 505;o 506;i 507;o 508;i Permit SSH Client Connection 504 HttpsFwToP56 510;i 511;o Permit HTTPS (SSL) from Fw to secure network 505 FaxFwToP56 512;i 513;o Permit fax from Fw to secure network 506 HttpFwToP56 514;i 515;o 516;i 517;o Permit HTTP from Fw to secure network 507 TcpToFwNonSecure 520;i 521;o 522;i 523;o Permit Proxy/SSH from Internet to Fw 524;i 525;o 508 ADSMService 526;i 527;o ADSM Service 509 PingOk 528;i 529;i Permit ping in and out 510 NTPOk 530;i 530;o Permit NTP 511 DenyService 533;i 98;i 532;i 531;i Deny some traffics to non-secure interface 512 HighTcpPermit 534;i 535;o Permit TCP to high port 513 SecureBroadcast 536;i Permit broadcast on secure side 515 CWUDPOk 539;i 539;o Permit CW All 516 TraceOk 540;i 541;i Permit traceroute ======================================================================================== Connections: Source Destination Number Name Object Object Services Description ------ ----------- ------ ----------- ------------------- ---------------------------- 508 NoLoopBack 508 504 37 Deny loopback 507 DenyService 503 504 511 Deny certain services 501 PermitTCP 502 504 501,2,41,19,20 Permit from P56 to FW 509 AlmOk 509 504 501,502 Permit some service for Almaden 503 FWtoP56 503 502 505,504,506,510 From FW to Patent 56 net 511 CWAllOk 503 511 515 Permit All of CW 506 ADSM 503 507 508 Adsm sevice permit 505 Nv24ToFw 506 504 32,43 Netview 24 permit 504 NvToFW 505 504 32,43 Network Manager Permit 510 BroadcastOk 503 510 513 Broadcast ok on secure interface 502 AnyToAny 503 504 502,507,509,516,512 from FW to Internet ======================================================================================== Change IBM Firewall Users Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] User Full Name [] * User Name root * Authority Level Firewall Administrator + * Secure interface shell /bin/ksh + * Non-Secure interface shell /bin/ksh + Change User Password no + * Local Login Authentication password + * Secure FTP Authentication deny + * Non-Secure FTP Authentication deny + * Secure Telnet Authentication password + * Non-Secure Telnet Authentication deny + * Secure IP Authentication password + * Non-Secure IP Authentication password + * Secure Administration Authentication password + * Non-Secure Administration Authentication deny + SecureNet key [] The following fields only apply to authentication by password * Number of FAILED LOGINS before [0] # user account is locked * Days to WARN USER before password expires [0] # * NUMBER OF PASSWORDS before reuse [4] # * WEEKS before password reuse [52] # * Weeks between password EXPIRATION and LOCKOUT [-1] # * Password MAX. AGE [26] # * Password MIN. LENGTH [6] # * Password MIN. ALPHA characters [4] # * Password MIN. OTHER characters [1] # * Password MAX. REPEATED characters [2] # * Password MIN. DIFFERENT characters [3] # ======================================================================================== Socks Services: Destination Number Name Action Port Description Notes ------ ----------- ------ ----------- ------------------------ ----- 505 Deny deny None Deny default socks rules (1) 502 FTP permit =21 permit socksified ftp 504 GeneralSocks permit None permit socksified TCP (2) 501 HTTP permit =80 permit socksified http 503 telnet permit =23 permit socksified telnet (1) Command to Execute : echo %u %A %Z %S >> /tmp/socks_deny (2) Employ ident verification : ?=n