HP-UX Containers (SRP) A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

124

125

126

127

128

129

130

131

132

133

131

If the container address is an IPv6 address, the last rule is

pass out quick proto icmpv6

from container_address to any keep state.

• A rule that allows inbound ICMP packets from any address to the container IP address:

pass in quick proto icmp from any to container_address

If the container address is an IPv6 address, the rule is

pass in quick proto icmpv6 from

any to container_address.

• A rule that blocks all inbound packets to the container IP address:

block in quick from any to container_address

Rule order and selection

By default, IPFilter selects a rule for a packet by reading the rules in a configuration file from top to

bottom and selects the last rule that matches a packet. The quick keyword changes this behavior and

causes IPFilter to immediately apply the rule to a packet if it matches the filter (instead of continuing to

evaluate rules for the packet). When using the quick keyword, rules are generally ordered from most

specific to least specific.

The srp command specifies the quick keyword in the IPFilter rules it configures. It inserts these rules

at the top of the IPFilter configuration file in the order applied.

IPFilter rules for IPSec

If you specify that you want to add IPFilter rules for IPsec, the srp command also adds IPFilter rules

that allow IPsec Encapsulating Security Payload (ESP; protocol 50) and Authentication Header (AH;

protocol 51) packets and IPsec control packets (Internet Key Exchange, or IKE; UDP port 500) to pass.

These rules are inserted above the more general IPFilter rules for the container. For more information,

see

12 Networking with containers.

C.8 The ipsec service

The ipsec service configures HP-UX IPSec to encrypt and authenticate IP packets between the

container IP address and a remote IP address.

C.8.1 Configuration location

The srp command adds IPSec configuration data using the ipsec_config utility. IPSec adds the

data to the IPSec database, /var/adm/ipsec/config.db. To view the contents of the IPSec

database, use the ipsec_config or the ipsec_report utility. To modify the contents of the IPSec

database, you must use the ipsec_config utility.

The srp command adds the following IPSec configuration data:

• A host IPSec policy

The host policy specifies encryption and authentication using the specified transform between

the specified remote IP address and the local (container) IP address. The default HP-UX IPSec

values are used for all other parameters.

• An Internet Key Exchange (IKE) policy