HP-UX 11i Version 2 June 2007 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Foundation OE LTU

181

182

183

184

185

186

187

188

189

190

Security

HP-UX IPFilter

Chapter 8

182

• Filtering for IPv6 packets equivalent to IPv4 packet filtering while maintaining IPv4

support. IPFilter can filter packets based on the following IPv6 packet

characteristics:

— IPv6 addresses, address-ranges, and prefixes

— Ports and port ranges

— IPv6 physical interfaces

— Upper-layer protocols (TCP/UDP/ICMP)

— Any combination of these characteristics

• Stateful filtering for TCP (limited stateful filtering for UDP and ICMPv6)

• IPv6 fragmentation support (the ability to block fragmented traffic)

• Filtering on IPv6 extension headers

• Filtering for tunneled packets (v6-in-v4 and v6-in-v6 traffic)

• Detection of IPSec headers (Authentication Header and Encapsulating Security

Payload) and passing if the packet matches a pass rule or block if it matches a block

rule

• IPv6 filter statistics

• The ability to recognize and filter ICMPv6 messages by type and code values

Defect fixes are also incorporated. For more information, see the HP-UX IPFilter

A.03.05.14 Release Notes and the HP-UX IPFilter A.03.05.14 Administrator’s Guide,

available at http://docs.hp.com/en/internet.html#HP-UX%20IPFilter.

Impact

There is no impact. If you do not want to use the new features, you do not have to make

any changes.

Compatibility

Existing configuration files and user scripts are fully compatible with A.03.05.14.

Filtering for IPv6 packets is done using a separate configuration file and new command

options.

Performance

The impact on system performance is the same as it is for previous versions of HP-UX

IPFilter.

Documentation

•Manpages:

ipf (4) packet filtering kernel interface

ipf (5) IP packet filter rule syntax

ipf (8) alters packet filtering kernel’s internal lists

ipl (4) data structure for IP packet log device