HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
HP-UX IPFilter Configuration Examples
BASIC_1.FW
Appendix A148
#
# Deny reserved addresses.
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#
block in log quick from a.b.c.d/24 to any group 100
#
#-------------------------------------------------------
# Allow outgoing DNS requests (no named on firewall)
#
pass in quick proto udp from any to any port = 53 keep state
group 202
#
# If you are running named on the firewall and all internal
# hosts talk to it,use the following:
#
pass in quick proto udp from any to w.x.y.z/32 port = 53 keep
state group 202
pass out quick on ppp0 proto udp from a.b.c.d/32 to any port =
53 keep state
#
# Allow outgoing FTP from any internal host to any external FTP
# server.
#
pass in quick proto tcp from any to any port = ftp keep state
group 201
pass in quick proto tcp from any to any port = ftp-data keep
state group 201
pass in quick proto tcp from any port = ftp-data to any port >
1023 keep state group 101
#
# Allow NTP from any internal host to any external NTP server.
#
pass in quick proto udp from any to any port = ntp keep state
group 202
#
# Allow outgoing connections: SSH, TELNET, WWW
#
pass in quick proto tcp from any to any port = 22 keep state
group 201
pass in quick proto tcp from any to any port = telnet keep
state group 201