Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
41424344454647484950
SRP adds the following IPFilter rules for the compartment, where cmpt_address is the
compartment IP address:
Rules that allow all TCP, UDP, and ICMP outbound packets from the compartment address.
These rules specify the keep state keywords to allow inbound replies for these packets:
pass out quick proto tcp from cmpt_address to any keep state
pass out quick proto udp from cmpt_address to any keep state
pass out quick proto icmp from cmpt_address to any keep state
If the compartment address is an IPv6 address, the last rule is pass out quick proto
icmpv6 from cmpt_address to any keep state.
A rule that allows inbound ICMP packets from any address to the compartment IP address:
pass in quick proto icmp from any to cmpt_address
If the compartment address is an IPv6 address, the rule is pass in quick proto icmpv6
from any to cmpt_address.
A rule that blocks all inbound packets to the compartment IP address:
block in quick from any to cmpt_address
Rule Order and Selection
By default, IPFilter selects a rule for a packet by reading the rules in a configuration file from
top to bottom and selects the last rule that matches a packet. The quick keyword changes this
behavior and causes IPFilter to immediately apply the rule to a packet if it matches the filter
(instead of continuing to evaluate rules for the packet). When using the quick keyword, rules
are generally ordered from most specific to least specific.
SRP specifies the quick keyword in the IPFilter rules it configures. SRP inserts these rules at the
top of the IPFilter configuration file in the order shown.
IPFilter Rules for IPSec
If you specify that you want to add IPFilter rules for IPsec, SRP also adds IPFilter rules that allow
IPsec Encapsulating Security Payload (ESP; protocol 50) and Authentication Header (AH; protocol
51) packets and IPsec control packets (Internet Key Exchange, or IKE; UDP port 500) to pass.
These rules are inserted above the more general IPFilter rules for the compartment. For more
information, see “Using IPSec with IPFilter” (page 45).
The ipsec Service
The ipsec service configures HP-UX IPSec to encrypt and authenticate IP packets between the
compartment IP address and a remote IP address.
Input Data
SRP prompts for following data. You can also specify a variable name and value in the command
line, as described in “Creating an SRP Compartment or Adding Data to a Compartment” (page 67).
IPsec peer IP address
The destination (remote) IP address for the IPSec and IKE
policies.
Variable Name: ipsec_peer_addr.
Valid Input: An IPv4 address in dotted-decimal notation or an
IPv6 address in colon-hexadecimal notation.
Default: None.
IPSec transform
The transform for the IPSec host policy. This must be compatible
with the transform configured on the peer system.
Variable Name: ipsec_transform.
Creating a Base SRP Compartment 43