HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
HP-UX IPFilter on HP-UX 11i Version 3
HP-UX IPFilter Options
Chapter 228
Since enabling HP-UX IPFilter would require bringing down the
networking of the system and then bringing it up, it is recommended to
query the current status (using the -q option) and then use the -e option
to enable HP-UX IPFilter, if it is disabled.
To disable HP-UX IPFilter, enter the following command:
/opt/ipf/bin/ipfilter -d
The state of HP-UX IPFilter, whether enabled or disabled, remains the
same even after the reboot.
WARNING Using /opt/ipf/bin/ipfilter brings down ALL the network
interface cards and therefore the network connectivity of the
machine for a short while when HP-UX IPFilter is being enabled
or disabled (using the -e or -d option).
Unless there is heavy network traffic, this should have no or
little overall effect on existing connections, but the connections
will “hang” for a while. If there is heavy network traffic, it may
not be a good time to enable/disable HP-UX IPFilter firewall. If
the user is running applications like Serviceguard that might
mistake this for network card failure, enabling and disabling of
HP-UX IPFilter must be scheduled so that network outage is not
an issue.
Install HP-UX IPFilter
Unlike on HP-UX 11i version 2, installation of HP-UX IPFilter on
HP-UX 11i version 3 will not involve a system reboot. If the system
already has HP-UX IPFilter and a newer version of HP-UX IPFilter is
being installed, make sure that HP-UX IPFilter is in disabled state
before starting the installation.
The following steps provide an outline of the steps that needs to be
followed to install a newer version of HP-UX IPFilter. For detailed
instruction on how to install HP-UX IPFilter, see Chapter 1, “Installing
and Configuring HP-UX IPFilter.”
1. Disable the existing HP-UX IPFilter.
/opt/ipf/bin/ipfilter -d