HP-UX IPFilter A.03.05.14 Release Notes HP-UX 11i v1 and HP-UX 11i v2 December 2006 Documentation Web Site: http://www.docs.hp.com Manufacturing Part Number : B9901-90032 E1206 United States © Copyright 2001-2006 Hewlett-Packard Development Company, L.P.
Legal Notices The information contained herein is subject to change without notice. Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. U.S. Government License Confidential computer software.
HP-UX IPFilter Release Notes Announcement 1 HP-UX IPFilter Release Notes Announcement HP-UX IPFilter, product number B9901AA version A.03.05.14 is a TCP/IP packet filter suitable for use as a system firewall to protect application servers. The firewall functions as a security defense by cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.
HP-UX IPFilter Release Notes What’s in This Version What’s in This Version Benefits and Features HP-UX IPFilter version A.03.05.
HP-UX IPFilter Release Notes What’s in This Version • Drops all fragmented traffic if specified by rule • Redirects packets for forensic analysis if specified by rule • Creates extensive logs when required HP-UX IPFilter version A.03.05.14 contains IPv6 support as described in “Enhancements” on page 14 of this Release Note.
HP-UX IPFilter Release Notes Known Problems and Workarounds Known Problems and Workarounds • 6 The startup script for HP-UX IPFilter automatically disables the ip_forward_directed_broasts parameter. This keeps the system from being subjected to broadcast-storm attacks that can bring down a network.
HP-UX IPFilter Release Notes Unsupported Features Unsupported Features The following list of utilities and commands are a part of the open source IPFilter product. These utilities and commands are included with HP-UX IPFilter, but are not supported by HP.
HP-UX IPFilter Release Notes Unsupported Features Features Not Supported with IPv6 The following features are not supported with IPv6: • Dynamic Connection Allocation (DCA) (the configuration of the IPv6 keep limit rules is not allowed.
HP-UX IPFilter Release Notes Supported and Unsupported Interfaces Supported and Unsupported Interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. HP-UX IPFilter is not tested with any third party products.
HP-UX IPFilter Release Notes Supported and Unsupported Interfaces Table 1-1 HP-UX IPFilter Supported Interfaces (Continued) HP-UX IPFilter Version Supported Interfaces A.03.05.09 • Ethernet (10Base-T) A.03.05.08 • Fast Ethernet (100Base-T) A.03.05.07 • Gigabit Ethernet (1000Base-T) A.03.05.06 • APA • VLAN • FDDI • Token Ring The following interfaces are unsupported (not protected by HP-UX IPFilter) on any HP-UX IPFilter releases: • ATM • Hyperfabric • X.
HP-UX IPFilter Release Notes Compatibility Information and Installation Requirements Compatibility Information and Installation Requirements Software Requirements The system must have standard HP-UX 11i v1 or HP-UX 11i v2 core products installed on it. It must also have the following patches: For HP-UX 11i v2, no patches are required, but it is recommended that you install the HP-UX 11i v2 December 2006 update.
HP-UX IPFilter Release Notes Compatibility Information and Installation Requirements • If you are using HP-UX IPFilter with VLAN, you must install the following patches: — PHNE_24491 Gigabit Ethernet — PHNE_25388 LAN — PHNE_23465 BTLAN — PHNE_29887 ARPA/Transport You can also add the following patches for additional functionality: — PHCO_24118 cumulative SAM/ObAM — PHNE_24473 nettl (1M), netfmt (1M), nettladm (1M) You should install HP-UX IPFilter with swinstall (SD-UX) at any time after the system has b
HP-UX IPFilter Release Notes Compatibility Information and Installation Requirements HP-UX IPFilter enables you to uniquely identify an ICMPv6 message using its type and code. A new keyword, icmpv6-type, is introduced. Use the following rule to pass ICMPv6 type 135 code 0 packets: pass in quick proto icmpv6 from any to any icmpv6-type 135 code 0 NOTE The type and code can only be specified as a decimal number.
HP-UX IPFilter Release Notes Enhancements Enhancements IPv6 Support IPv6 support has been added to HP-UX IPFilter.
HP-UX IPFilter Release Notes Fixes in This Version Fixes in This Version Fixes for HP-UX 11i v1 and HP-UX 11i v2 The following problems have been fixed in HP-UX IPFilter version A.03.05.14 for HP-UX 11i v1 and HP-UX 11i v2. • JAGaf15610 (8606354854)—Cannot delete "head keyword rule" by ipf -r -f command. • JAGaf53050 (8606392975)—There is a note that is not necessary in ipf (5) online manual. • JAGaf92103 (8606432664)—When skip rule is set, the packet is blocked unspecified.
HP-UX IPFilter Release Notes List of Documents Available with Product List of Documents Available with Product The list below contains documentation related to the HP-UX IPFilter product. • HP-UX IPFilter A.03.05.14 Administrator’s Guide (B9901-90031) • HP-UX IPFilter A.03.05.14 Release Notes (B9901-90032) HP-UX IPFilter documentation is available from the following sources: • The HP Technical Documentation Web Site at http://docs.hp.com/en/internet.
