Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

981

982

983

984

985

986

987

988

989

990

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 989

unable to reach the internet from this machine, you should answer "no."

If you have suggestions for improvements, new questions, code, and/or tests,

you can discuss these on the Bastille Linux discussion list. You can

subscribe at:

http://lists.sourceforge.net/mailman/listinfo/bastille-linux-discuss

You can also provide feedback concerning the HP-UX version of Bastille

directly to bastille-feedback@fc.hp.com. Please do send comments, even

if it's just to say you like the tool. We want to hear from you.

IPFilter Q: Should Bastille setup basic ﬁrewall rules with these properties? [N]

Firewalls generally make up the first line of defense in any

network security architecture. IPFilter is a free host-based firewall

which is available for HP-UX. It looks like you have IPFilter installed,

but that does not necessarily mean that it has been configured (Bastille

cannot detect whether or not the rule-set is appropriate for your unique needs).

Bastille can create a very basic firewall configuration.

WARNING: Firewalls are designed to keep people out of your machine.

Therefore, this section has the ability to keep you out too. Please

be very careful when answering these questions and verify that you

can still login to your machine remotely (and have physical access

just in case) before logging out.

WARNING: IPfilter is only able to block traffic which is processed by

the kernel. Network cards exist which take the processing of this traffic

out of the kernel for performance reasons. This is referred to as TOE, or

TCP offload engine. If you are using such a card (can be used for iSCSI

and 10Gb ethernet), configuring an IPfilter-based firewall will have no

effect for traffic processed by that card.

WARNING: This will OVERWRITE any existing firewall rules. If you already

have sufficiently secure firewall rules in place, then you should say "No"

to this question. Answering "Yes" to this question will create and apply

firewall rules that will:

(a) Block incoming traffic with ip options set. These options are used

frequently by attackers and infrequently for any other purpose.

(b) Apply a custom rule-set from /etc/opt/sec_mgmt/bastille/ipf.customrules

This file as delivered with Bastille will allow all outgoing connections

and keep track of them so that traffic which corresponds to those connections

will be allowed back in. This basic configuration will allow most local

applications to operate properly without allowing attackers in through

ports you don't use. The delivered custom rule-set also contains rules to

not log netbios nameserver, netbios datagram, and RPC portmap network traffic,

all of which can fill up your logs rather quickly on a large network. Later,