HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
Performance Guidelines
Rule Configuration
Appendix C184
Rule Configuration
To configure IPFilter rules for optimal system performance:
• Avoid using return-rst whenever possible.
From both security and performance perspectives, it is better for
IPFilter to block packets anonymous rather than returning a reset
packet with a known address.
• Avoid logging whenever possible.
Excessive logging can impact both storage and CPU performance on
the system. Determine the appropriate logging level for your
environment.
•Use the quick keyword whenever possible.
The quick keyword stops the rule search for a packet a rule matches.
Otherwise, IPFilter searches the entire ruleset, which can impact
performance if there are a large number of rules.
•Use keep state or keep limit rules whenever possible.
Each connection that matches the keep state or keep limit rule
searches through the rule set only once. The following packets for
that connection will match the existing state entry and not search
the rest of the ruleset.
•Use group rules whenever possible.
For more information, see “Improving Performance with Rule
Groups” on page 80.
In the following example, a connection from 15.13.104.72 must
search 102 rules before finding a match.
pass in quick proto tcp from 15.13.2.1 to any port = 23 keep
limit 1
pass in quick proto tcp from 15.13.2.2 to any port = 23 keep
limit 2
.
(15.13.2.3 to 15.13.2.99)
.
pass in quick proto tcp from 15.13.2.100 to any port = 23
keep limit 100
pass in quick proto tcp from 15.13.103.0/24 to any port = 23