HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
Installing and Configuring HP-UX IPFilter
Kernel Tunable Parameters
Chapter 1 15
The default timeout value is 86,400 seconds. The minimum value that
can be set for fr_tcpidletimeout is 300 seconds.
For information on changing the fr_tcpidletimeout variable, see
“Configuring Kernel Tunable Parameters” on page 17.
fr_statemax
The purpose of the fr_statemax variable is to restrict how many entries
can be created. Configure the values of this variable appropriately for
your environment.
The following table displays the default, minimum and maximum values
for fr_statemax. HP recommends not setting the value for each tunable
below the stated minimum value or above the stated maximum value.
For information on changing the fr_statemax variable using kctune,
see “Configuring Kernel Tunable Parameters” on page 17.
Memory is allocated for state and limit entries in chunks. For state
entries, memory is allocated by increments of 1,300 entries. The
approximate size of the state is 384 bytes. HP-UX IPFilter keeps the
allocated memory for state entries in its private free pool.
IMPORTANT The state values should not be set too high because the memory
allocations are not released back to the kernel memory pool for general
use.
Tunable Name
Default
Value
Minimum
Value
Maximum
Value
fr_tcpidletimeout 86,400
seconds
240 seconds 86,400
seconds
Tunable
Name
Default Value
Minimum
Value
Maximum Value
fr_statemax 800,000 entries 4,000 entries 1,600,000 entries