HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
Contents
iv
IPFilter Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
pass and block: Controlling IP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
in and out: Bidirectional Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
quick: Optimizing IPFilter Rules Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
on: Filtering by Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
from and to: Filtering by IP Addresses and Subnets . . . . . . . . . . . . . . . . . . . . . . . . . 38
log: Tracking Packets on a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
proto: Controlling Specific Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
opt and ipopts: Filtering on IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
icmp-type: Filtering ICMP Traffic by Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
port: Filtering on TCP and UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
keep state: Protecting TCP, UDP, and ICMP Sessions . . . . . . . . . . . . . . . . . . . . . . . . 44
flags: Tight Filtering Based on TCP Header Flags. . . . . . . . . . . . . . . . . . . . . . . . . . . 45
keep frags: Letting Fragmented Packets Pass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
with frags: Dropping Fragmented Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
with short: Dropping Short Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
return-rst: Responding to Blocked TCP Packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
return-icmp: Responding to Blocked ICMP Packets. . . . . . . . . . . . . . . . . . . . . . . . . . 47
dup-to: Drop-Safe Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
NAT Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
map and portmap: Basic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
bimap: Bidirectional Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
rdr: Redirecting Packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
map-block: Mapping to a Block of Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4. Dynamic Connection Allocation
DCA with HP-UX IPFilter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Overview: DCA Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Using DCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
DCA Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
keep limit: Limiting Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
log limit: Logging Exceeded Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
log limit freq: Log Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
DCA Rule Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
DCA Rule Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
keep limit Rules and Rule Hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64