HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
193
IPSec
allowing protocol 50 and 51 traffic through
,
132
allowing traffic through the firewall, 131
bidirectional with IPFilter, 130
debugging blocked traffic with, 131
gateway, 134
UDP negotiation, 129
IPSec and IPFilter, 127
K
kadmin -s
, 13
kcmodule
static linking
, 177
kctune, 17
keep frags keyword, 46
keep limit
keyword, 57
keep limit rules
adding, 67
adding a subnet or IP address range rule, 68
adding individual rule, 67
changing current rule, 66
extracting, 68
integrating, 68
rule hits, 64
updating, 66
updating a subnet or IP address range, 67
keep state
ICMP, 77
keyword, 44, 74
state table dump, 96
when to use, 74
keeping state
UDP, 76
with servers and flags, 74
kernel tunables
configuring
, 17
fr_statemax, 15
fr_tcpidletimeout, 14
ipl_buffer_sz, 16
ipl_logall, 17
ipl_suppress, 17
keywords
bimap, 50
block, 36
dup-to, 48
flags, 45
from, 38
icmp-type, 41
in, 36
ipopts, 40
keep frags, 46
keep limit, 57
keep state, 44
log, 39, 78
log limit, 59
log limit freq, 61
map, 49
map-block, 51
on, 37
opt, 40
out, 36
pass, 36
port, 43
portmap, 49
proto, 40
quick, 37
rdr, 50
return-icmp, 47
return-rst, 47
to, 38, 83
with frags, 46
with short, 46
L
limiting connections
by IP address
, 57
by subnet, 57, 58
cumulative, 58
default individual limit, 59
loading software, 5
localhost filtering, 82
log keyword, 39, 78
body option, 79
first option, 79
log limit freq keyword, 61
log limit keyword, 59
logging, 22
drop-safe, 83
packets, 39
problems, 23
logging exceeded connections, 59
logging techniques, 78
M
map keyword
, 49
map-block keyword, 51