HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
HP-UX IPFilter on HP-UX 11i Version 3
HP-UX IPFilter Options
Chapter 2 27
HP-UX IPFilter Options
On HP-UX 11i v3, HP-UX IPFilter will be installed and disabled by
default. This is different from HP-UX IPFilter on HP-UX 11i v1 (where
HP-UX IPFilter is not installed by default but, if installed, it is
automatically enabled) and HP-UX 11i v2 (where HP-UX IPFilter is
installed and enabled by default). Enabling, disabling, installing, and
removing HP-UX IPFilter will not require a system reboot.
NOTE HP-UX IPFilter is not enabled by default and, therefore, is not providing
filtering security. However, if Bastille/ITS is used (with the
“Sec20MngDMZ” or “Sec30DMZ” install time security levels), then
HP-UX IPFilter will be automatically enabled.
An executable is available that allows you to enable, disable, and query
HP-UX IPFilter. The command is:
/opt/ipf/bin/ipfilter
<-options>
The available options are:
-e
Enables the HP-UX IPFilter module.
-d
Disables the HP-UX IPFilter module.
-q
Queries the HP-UX IPFilter module and displays whether it is enabled
or disabled.
Enable or Disable HP-UX IPFilter
To enable HP-UX IPFilter, enter the following command:
/opt/ipf/bin/ipfilter -e