AIX操作系统支持静态的IP包过滤功能，您可以利用这一功能来保护连接在网络上的服务器。在使用这一功能之前，您需要安装以下软件包： bos.net.ipsec.keymgt bos.net.ipsec.rte 然后您就可以进行包过滤的配置了。 首先运行smitty ipsec4, 选择Advanced IP Security Configuration->Configure IP Security Filter Rules->Add an IP Security Filter Rule，然后在其中填写过滤的细节。具体介绍如下： Rule Action 操作： deny 拒绝 permit 允许 IP Source Address 源地址。可以是 IP 地址或主机名。 IP Source Mask 比较位掩码。设置为“1”的位表示源地址中对应的位将被比较。 IP Destination Address 目标地址。可以是 IP 地址或主机名。 IP Destination Mask 目标比较位掩码。设置为“1”的位表示目标地址中对应的位将被比较。 Apply to Source Routing? (PERMIT/inbound only) 源路由控制：yes 或 no。决定是（yes）否（no）允许Source Routing包。 Protocol 协议。值可以是 udp、icmp、tcp、tcp/ack、ospf、pip、esp、ah 和 all。 Source Port / ICMP Type Operation 源端口或 ICMP 类型操作。可以是等于（eq）、大于（gt）、小于（lt）、不等于（neq）、小于等于（le）、大于等于（ge）、任何（any）。 Source Port Number / ICMP Type 源端口或 ICMP 类型值。 ICMP 类型值列出如下： 0 = Echo Reply 3 = Destination Unreachable 4 = Source Quench 5 = Redirect 8 = Echo Request 11 = Time Exceeded 12 = Parameter Problem 13 = Timestamp Request 14 = Timestamp Reply 15 = Information Request 16 = Information Reply A1 = Address Format Request A2 = Address Format Reply Destination Port / ICMP Code Operation 目标端口或 ICMP 代码操作。可以是等于（eq）、大于（gt）、小于（lt）、不等于（neq）、小于等于（le）、大于等于（ge）、任何（any）。 Destination Port Number / ICMP Type 目标端口或 ICMP 代码值。ICMP类型对应的代码值列出如下： TYPE = 0 - Echo Reply sent by: 0 = (no special meaning) host, router TYPE = 3 - Destination Unreachable sent by: 0 = network unreachable router 1 = host unreachable router 2 = protocol unreachable host 3 = port unreachable host 4 = fragmentation needed but impossible router because of 'don't fragment' command 5 = source route not reachable router TYPE = 4 - Source Quench sent by: 0 = datagram could not be received host, router or routed TYPE = 5 - Redirect sent by: redirection of all datagrams ... 0 = ...to a specific IP network router 1 = ...to a specific IP host router 2 = ...of a spedific type of service and network router 3 = ...of a specific type of service and host router TYPE = 8 - Echo Request sent by: 0 = (no special meaning) host, router TYPE = 11 - Time Exceeded sent by: 0 = TTL set to 0 router 1 = reassembly timer exceeded host TYPE = 12 - Parameter Problem sent by: 0 = the ICMP header's pointer identifies host, router a faulty octett within the datagram TYPE = 13/14 - Timestamp Request/Reply sent by: 0 = (no special meaning) host, router TYPE = 15/16 - Information Request/Reply sent by: 0 = (no special meaning) host, router TYPE = A1 - Address Format Request sent by: 0 = (no special meaning) host, router TYPE = A2 - Address Format Reply sent by: n = [number of bits in a subnet mask] host, router Routing 路由： route 转发的信息包 local 本地目标／源信息包 both 二者 Direction 方向。 inbond 传入的信息包 outbound 传出的信息包 both 二者 Log Control 日志控制。 yes 包含在日志中 no 不包含在日志中。 Fragmentation Control 分段控制。 all packets 应用到分段头部分、分段部分和非分段部分 fragments and fragment headers only 只应用于分段部分和分段头部分 unfragmented packets only 只应用于非分段部分 fragment headers and unfragmented packets only 只应用于非分段部分和分段头部分 Tunnel ID 报文封装标识。 Interface 接口，如 tr0 或 en0。 配置完成后选择Move IP Security Filter Rules调整适合的过滤器顺序，然后选择 Start/Stop IP Security启动过滤器。 使用lsfilt可以按顺序列出当前配置的过滤器。