How can we display the filter rules that are configured as default filter rules from the IPSECRULE or IPSEC6RULE statement on the TCPIP profile?

If Policy Agent is not active when an IPSECURITY-enabled stack initializes, the stack cannot be provided with IP filter rules from that policy. Therefore, in the interest of network security, the stack provides a default IP filter policy when an IP filter policy is unavailable from Policy Agent. The default IP filter policy effectively denies all network traffic, with the exception of some select ICMP and ICMPv6 messages that are necessary for internal stack function. These deny rules are not explicitly coded, but rather are always implicitly added at any time that the default IP filter policy is in effect. The default IP filter policy can be in effect at times other than stack initialization. Default IP filter policy is in effect in all of the following cases:

• An IPSECURITY-enabled TCP/IP stack has been started but Policy Agent has not been started, or an IPSECURITY-enabled TCP/IP stack has been started but Policy Agent has not completely initialized.

• An IPSECURITY-enabled TCP/IP stack and Policy Agent have been started, but no IP security configuration file exists.

• An IPSECURITY-enabled TCP/IP stack and Policy Agent have been started, but the IP security configuration file contains errors.

• An IPSECURITY-enabled TCP/IP stack and Policy Agent have been started, but no IpFilterPolicy statement exists in either IP security configuration file.

• An IPSECURITY-enabled TCP/IP stack and Policy Agent have been started, and IP filter policy has been provided to the stack, but the stack is using the default IP filter policy because the ipsec -f default command was issued.

This default behavior ensures that network security is not compromised in the event that IP filter policy is not installed, and is consistent with a secure default-deny policy.

You can modify the default IP filter policy by coding an IPSECRULE statement (for IPv4) or IPSEC6RULE statement (for IPv6) in the TCP/IP profile.

Neither the default IP filter policy nor a modified default IP filter policy provides authentication and encryption capabilities such as those provided by a complete IP security policy; it only offers the stack the ability to perform simple IP filtering in the absence of an IP security policy.

To display the filter rules that are configured as default filter rules from the IPSECRULE or IPSEC6RULE statement on the TCPIP profile (i.e. the profile IP filter rules}, issue the following command:

 ipsec -f  display -c profile

Any IPSECRULE and IPSEC6RULE entries that are coded are given a system-generated name for purposes of display. These rules are prefixed with the string SYSDEFAULTRULE.