HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

HP-UX IPFilter V17.05 Administrator Guide

HP-UX 11i v2 and HP-UX 11i v3

Abstract

This document describes how to install, configure, and troubleshoot HP-UX IPFilter version 17.05. This document is intended

for network managers or network security administrators who install, configure, and troubleshoot HP-UX IPFilter on HP 9000

systems. Administrators are expected to have knowledge of HP-UX operating system concepts, commands, and configuration.

Administrators are also expected to have knowledge of TCP/IP networking concepts and network configuration.

HP Part Number: 5900-1475

Published: February 2011

Edition: 1

Summary of content (126 pages)

PAGE 1
HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3 Abstract This document describes how to install, configure, and troubleshoot HP-UX IPFilter version 17.05. This document is intended for network managers or network security administrators who install, configure, and troubleshoot HP-UX IPFilter on HP 9000 systems. Administrators are expected to have knowledge of HP-UX operating system concepts, commands, and configuration.
PAGE 2
© Copyright 2001, 2011 Hewlett-Packard Development Company, L.P Legal notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
PAGE 3
Contents 1 Overview................................................................................................10 1.1 Benefits and features..........................................................................................................10 1.2 Supported and unsupported features...................................................................................11 2 Installing HP-UX IPFilter..............................................................................12 2.
PAGE 4
3.5.6.4 Using keep state with ICMP................................................................................25 3.5.6.4.1 Idle timeout...............................................................................................25 3.5.6.4.2 ICMP error status messages.........................................................................25 3.5.7 State aging..............................................................................................................26 3.5.7.1 Rule examples............
PAGE 5
.9.2.1 Adding a new individual keep limit rule................................................................39 5.9.2.2 Adding a new subnet or IP address range rule.......................................................39 5.9.3 Integrating keep limit rules..........................................................................................39 5.9.4 Extracting an individual rule from a subnet rule.............................................................40 5.10 Enabling and disabling DCA............
PAGE 6
9 Troubleshooting HP-UX IPFilter....................................................................53 9.1 Viewing IPFilter statistics and active rules with ipfstat...............................................................53 9.1.1 Syntax.......................................................................................................................53 9.1.2 Options....................................................................................................................53 9.1.3 Examples..
PAGE 7
11.2.4.1 IPFilter configuration..........................................................................................75 11.2.5 ICMP echo request broadcasts: ip_respond_to_echo_broadcast......................................75 11.2.6 Using ndd to configure ICMPv4 kernel parameters........................................................76 11.3 Filtering ICMPv6 packets by type and code: icmpv6–type and code.......................................76 11.
PAGE 8
16 Support and other resources.....................................................................93 16.1 Contacting HP.................................................................................................................93 16.1.1 Before you contact HP................................................................................................93 16.1.2 HP contact information..............................................................................................93 16.1.
PAGE 9
C.5.1 Displaying logging buffer statistics.............................................................................112 C.6 ipl_suppress..................................................................................................................112 C.7 ipl_logall.......................................................................................................................113 C.8 Configuring and viewing kernel tunable parameters............................................................
PAGE 10
1 Overview HP-UX IPFilter, product number B9901AA version 17.05, is a TCP/IP packet filter suitable for use as a system firewall. The version string is A.11.31.17.05 for HP-UX 11i v3 and A.11.23.17.05 for HP-UX 11i v2. HP-UX IPFilter functions as a firewall by examining and limiting packets allowed in and out of an HP-UX system, which can be either an end node or an IP router. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.
PAGE 11
◦ IP security classes ◦ TCP ports and port ranges ◦ UDP ports and port ranges ◦ ICMP message type and code ◦ Combination of TCP flags ◦ Network interface • Control incoming TCP connections through Dynamic Connection Allocation (DCA) • Support for NAT, which lets an intermediate HP-UX system act as a translator of IP addresses and network ports • Send back ICMP error/TCP reset messages for blocked packets • Keep packet state information for TCP, UDP, and ICMP • Keep fragment state inform
PAGE 12
2 Installing HP-UX IPFilter 2.1 Overview of HP-UX IPFilter installation The following section summarizes each step in the HP-UX IPFilter installation process. 2.1.1 Installation and configuration checklist The complete the following steps to install HP-UX IPFilter. 1. 2. 3. 4. Check that your system meets the prerequisites. See Section 2.2 (page 12) for detailed information about this task. Install HP-UX IPFilter using swinstall. See Section 2.3 (page 12) for detailed information about this task.
PAGE 13
2. If the system is an HP-UX 11i v3 system and already has HP-UX IPFilter installed, disable the existing version: /opt/ipf/bin/ipfilter -d CAUTION: HP recommends that you enable or disable IPFilter when interrupting network connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX IPFilter when critical network applications are running. Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up only the IP interfaces configured in the /etc/rc.
PAGE 14
NOTE: Do not run the HP-UX IPFilter product when the system is booted in single-user mode. 2.4 Step 3: Verifying the installation Use the following commands to verify the HP-UX IPFilter installation. • Verify that HP-UX IPFilter is running using the -V option of the ipf command: ipf -V ipf: HP IP Filter: v3.5alpha5 (A.11.31.17.05) (488) Kernel: HP IP Filter: v3.5alpha5 (A.11.31.17.
PAGE 15
2. Use swremove to remove HP-UX IPFilter: swremove IPFilter 2.
PAGE 16
3 Configuring and loading IPv4 filter rules 3.1 IPv4 filter rules configuration file The default HP-UX IPFilter IPv4 filter rules file is /etc/opt/ipf/ipf.conf. To specify an alternate IPv4 filter rules file name, set the IPF_CONF parameter in the IPFilter startup file, /etc/ rc.config.d/ipfconf. When HP-UX IPFilter is first installed, the /etc/opt/ipf/ipf.conf rules file is empty. Appendix B (page 100) contains example rules files you can use to create your ruleset. 3.1.
PAGE 17
3.2.1 Specifying the filter action: pass and block The first keyword in an IPFilter rule specifies the action, and is usually pass or block. The keyword pass allows packets allows packets to pass in or out of IPFilter, and the keyword block blocks or drops packets. 3.2.2 Specifying the filter direction: in and out The in and out keywords specify the whether the rule applies to inbound or outbound packets. Inbound traffic is traffic that enters the IPFilter system.
PAGE 18
3.2.4.1 Examples The following rule blocks all inbound packets from the 10.10.10.0 subnet to any IP address: block in from 10.10.10.0/24 to any The following rule blocks all inbound packets from the addresses 10.10.10.1, 10.10.10.2, and 10.10.10.3 to any IP address: block in from 10.10.10.1-10.10.10.3 to any The following rule blocks all inbound packets with the destination address 192.168.2.1: block in from any to 192.168.2.
PAGE 19
For example, to allow 10 outbound packets per second from any source address to the destination address 10.1.1.42: pass out from any to 10.1.1.42/32 pps 10 NOTE: This is available only on HP-UX 11i v3. 3.
PAGE 20
block in quick from 10.10.10.66 to any pass in all If the system receives a packet from the 10.10.10.66, IPFilter matches the packet to the first rule. Because the first rule includes the quick keyword, IPFilter does not evaluate the second rule in the ruleset and uses the first rule. TIP: Using the quick keyword also enables you to order rules from most specific to least specific. 3.4.
PAGE 21
3.5.1 Option order If you specify protocol options, you must insert them after the ip_selector: block|pass in|out [processing_options] [proto protocol] ip_selector [protocol_options] The ip_selector is the from...to IP address and port number specification or the keyword all, as defined in Section 3.2 (page 16). If you specify more than one processing option, you must specify them in the order listed below: 1. 2. 3. 4. 5. 6.
PAGE 22
3.5.3 Specifying IP options: with opt and ipopts IPFilter can filter packets based on IP options using the with opt and with ipopts keywords.
PAGE 23
3.5.4.1 Selecting IP packet fragments: with frag The with frag keyword selects IP packet fragments (IP packets with a non-zero fragment offset). If you do not want IPFilter to pass IP packet fragments, specify the block action and the with frag keywords. For example: block in all with frag 3.5.4.2 Selecting short fragments: with short You can configure IPFilter to drop packet fragments that are too short for comparison using the with short keyword.
PAGE 24
3.5.6.1 Allocating memory for the state table The amount of memory allocated for the state table is determined by the kernel tunable parameter fr_statemax. In most deployments, the default value is sufficient. For information about modifying the fr_statemax value, see Section C.3 (page 112) . 3.5.6.2 Using keep state with TCP You can configure rules with the flags and keep state keyword to select packets for TCP connections initiated in a specific direction.
PAGE 25
You can change the idle timeout value for TCP entries by modifying the fr_tcpidletimeout kernel parameter. See Section C.2 (page 111) for more information. 3.5.6.3 Using keep state with UDP You can configure IPFilter rules for UDP connections using the keep state keyword. IPFilter adds an entry to the state table to match packets matching the filter specification in both directions.
PAGE 26
If UDP generates an ICMP error status message (such as icmp-type 3 code 3 port unreachable or icmp- type 11 time exceeded) for this UDP session, IPFilter will apply the rule to the ICMP packet and allow it to pass. 3.5.7 State aging The system-defined state entry timeout values are: • ICMP—60 seconds • UDP—120 seconds • TCP—120 seconds You can override the TCP default value when the connection is closed using the fr_tcptimewait tunable, or by using the age option on a per-rule basis.
PAGE 27
3.6.1 Responding to blocked TCP packets: return-rst When TCP receives a packet for a TCP port that is not open or a packet that is inappropriate for the TCP state, TCP normally sends a Reset (RST) packet. The return-rst keyword directs IPFilter to return an RST packet to the sender. The return-rst keyword is valid in the following rules: • Rules that block inbound packets (block in rules). • Dynamic Connection Allocation (DCA) rules (keep limit rules), as shown in Section 5.3 (page 35).
PAGE 28
A complete ruleset for this situation would be complex and significantly slow user connections to the network. To prevent this, a ruleset is created with rule groups: block in quick on lan0 all head 1 block in quick on lan0 from 192.168.0.0/16 to any group 1 block in quick on lan0 from 172.16.0.0/12 to any group 1 block in quick on lan0 from 10.0.0.0/8 to any group 1 block in quick on lan0 from 127.0.0.0/8 to any group 1 block in log quick on lan0 from 20.20.20.
PAGE 29
NOTE: When you load a ruleset, the new rules affect all matching packets immediately, including packets for established connections. For example, if you load a new rule that blocks telnet packets, IPFilter will block all telnet packets, including packets for established telnet connections. The only exception to this behavior is for packets that match entries in the IPFilter state table.
PAGE 30
You can use this command when IPFilter is running. 3.9 Rule tags 3.9.1 Log tags This tag is used in IPF rules to help with parsing log files. Use log tags to find a particular logged packet belonging to an IPF rule. For example, to block all TCP packets from 10.1.1.42 and ipmon log packets in syslog and use log-tag (log-tag rule1) to help with parsing logfile: block in log proto tcp from 10.1.1.42/32 to any set-tag(log=rule1) 3.9.2 NAT tags This tag creates implied join between IPF rules and NAT rules.
PAGE 31
4 Configuring and loading IPv6 filter rules 4.1 IPv6 filter rules configuration file HP-UX IPFilter maintains IPv4 and IPv6 rules as separate rule sets. You cannot not configure IPv6 filter rules in the same file with IPv4 filter rules, and you must administer IPv4 and IPv6 rule sets separately. The rule set (IPv4 or IPv6) for a rule is determined by the command-line options and file used to load the rule. These options are described in Section 4.4 (page 33).
PAGE 32
4.3.2 Filtering ICMPv6 packets To filter ICMPv6 messages by type and code, specify proto icmpv6 (or proto ipv6–icmp) and use the keywords icmpv6-type and code. See Section 11.3 (page 76) for more information. 4.3.2.1 Stateful ICMPv6 IPFilter can retain state information for ICMPv6 Request-Response messages. The only supported message types are Echo Request and Echo Reply. 4.3.3 IPv6 extension headers You can block or pass packets according to IPv6 extension headers.
PAGE 33
• 4-in-6 Use the following rule to filter 4-in-6 tunnel packets: block in proto ip from any to any 4.3.5 Filtering IPv6 fragments You can filter IPv6 fragments by specifying the v6hdrs frags keywords. Use the following rule to filter IPv6 fragmented traffic: block in proto udp from any to any with v6hdrs frags Unlike IPv4, IPFilter does not maintain a fragment cache for IPv6 fragments. 4.3.6 Sending ICMPv6 responses IPFilter supports the return-icmpv6-as-dest and return-icmpv6 keywords for IPv6.
PAGE 34
5 Configuring and loading dynamic connection allocation (DCA) rules 5.1 DCA with HP-UX IPFilter An HP-UX IPFilter system can act as a secure intermediary, tracking all incoming TCP connections to a system or network. DCA lets you limit incoming TCP connections passing through an IPFilter system. You can use DCA to limit the number of inbound connections based on the source IP address and optionally, the destination TCP port number.
PAGE 35
5.3 DCA rule syntax and keywords The basic DCA syntax is as follows: pass in quick proto tcp from source_ip|any to dest_ip|any [port = port_num] keep limit limit_num The keep limit keywords indicate that this is a DCA rule.
PAGE 36
5.4.2 Limiting connections by subnet The following rule is an example of a DCA rule that limits connections by IP subnet: pass in quick proto tcp from 192.168.5.0/24 to any port = 25 keep limit 4 This rule limits the maximum concurrent TCP connections to four from any individual host in subnet 192.168.5.0/24 to port 25 of any host. 5.4.
PAGE 37
The system host1 is allowed to open only 10 concurrent connections. IPFilter blocks any subsequent connection requests. Since log limit is set, each additional connection attempt is logged. The log limit option generates two types of log records: • Alert Log records—created when a source IP address attempts to exceed its configured connection limit. Every time the connection limit is exceeded, IPFilter creates an alert log record.
PAGE 38
Cumulative limits are shared by different IP addresses and it is possible that IPFilter will not log connections from some source IP addresses. For example, the initial connections might come from ipaddr1 and the next 10 from ipaddr2. IPFilter will not log the connections from ipaddr1, but will log the connections from ipaddr2, because one of its connections will be the eleventh connection. 5.
PAGE 39
1. Create a new rule identical to the current rule except for a different keep limit count. When adding a new rule, IPFilter recognizes it as the update of an existing rule. Current limit entries made by the old rule are updated with the new connection limit when a new connection is processed. New connections are processed with the new rule. For example, the original rule is: pass in quick proto tcp from 14.13.45.0-14.13.45.
PAGE 40
5.9.4 Extracting an individual rule from a subnet rule To extract an individual rule from a subnet rule: 1. Add the new rule on the line before the subnet rule. Be sure the subnet or IP address range rule is identical to the old rule. When a new connection matches an existing limit entry, the new connection will be processed by the new individual rule. The subnet or IP address range can be cumulative or noncumulative. 5.10 Enabling and disabling DCA To use DCA, you must enable DCA mode.
PAGE 41
• • Section 9.1 (page 53). ◦ ipfstat -L ◦ ipfstat -vL ◦ ipfstat -r group:rule Section 9.3.2 (page 61). ◦ ipmon -r DCA also provides logging records that can serve as alert messages or as a summary of the connections made from a specific IP address. You can use the log records to identify IP addresses or subnets that you want to limit or block. 5.11.
PAGE 42
6 Configuring and loading NAT rules 6.1 NAT rules configuration file IPFilter loads and evaluates NAT rules separately from filter rules. Do not configure NAT rules in the same file with filter rules. The default name for the HP-UX IPFilter NAT rules file is /etc/opt/ ipf/ipnat.conf. To specify an alternate NAT rules file name, set the IPNAT_CONF parameter in the IPFilter startup file, /etc/rc.config.d/ipfconf. To load NAT rules, use the ipnat utility. See Section 6.6 (page 47) for more information.
PAGE 43
• rdr The rdr keyword redirects and translates destination addresses and port numbers for inbound packets. • bimap The bimap keyword translates addresses and port numbers for inbound and outbound packets. • age The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout. NOTE: NOTE: This is available only on HP-UX 11i v3.
PAGE 44
The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the current IP address for the lan0 interface, then transmits them using lan0: map lan0 192.168.1.0/24 -> 0/32 6.3.2 portmap keyword You can use the portmap keyword to direct IPFilter to translate port numbers. When used with the map keyword, IPFilter maps the source port number to a specific port number or range of port numbers. You can use this feature to create a unique source IP address and source port number pair.
PAGE 45
target_ip is the target IP address. IPFilter translates the destination IP address to the target IP address. 6.4.1 Redirecting packets to a specific port You can also use the rdr keyword with port and protocol specifications to redirect inbound packets from one port to another: rdr interface_name destination_ip port destination_port -> target_ip port target_port [protocol] where: interface_name is the name of the network interface used to transmit the packets. For example, lan1.
PAGE 46
You can specify only two target addresses in each round-robin rule, but you can configure two rdr rules for the same interface, for a total of four target addresses. IPFilter will load balance the packets equally between all four target addresses. For example: rdr lan0 0.0.0.0 -> 192.168.0.1,192.168.0.2 round-robin rdr lan0 0.0.0.0 -> 192.168.0.3,192.168.0.4 round-robin 6.4.4 Sticky NAT sessions NAT sessions can be redirected to the same destination IP to achieve source IP-based persistence.
PAGE 47
# Interface to do the redirections on and the IP address which will be # targeted. # interface lan0 192.168.1.1,2100 # # # NOTE: ORDER IS IMPORTANT IN THIS FILE # # Interface to do the redirections on and the IP address which will be # targeted. # interface lan0 192.168.1.1,2100 # connect timeout 1 connect frequency 20 # # If no probe string is specified, a successful connection implies the # server is still alive. # probe string GET /\n\n #probe file http.
PAGE 48
7 Address pooling NOTE: Address pooling is available only on HP-UX 11i v3. 7.1 The ippool utility Address pools establish a single reference that is used to name a group of address/netmask pairs. Address pools: • Facilitate management of large groups of addresses • Reduce time to match IP addresses with rules • Improve performance The ippool utility manages information stored in the IP pools subsystem of IPFilter. Configuration file information can be parsed and loaded into the kernel.
PAGE 49
7.3.2 Examples The following example creates an address pool using the tree storage format that is referenced in the IPF rule which allows packets from this pool. table role = ipf type = tree name = mypool { 10.1.1.41/32; 10.1.1.42/32; 192.168.1.0/24; } pass in from pool/mypool to any The following example creates an address pool using the hash storage format that is referenced in the IPF rule which blocks packets from this pool. table role = ipf type = hash name = myhash { 192.1.1.41/32; 192.1.1.
PAGE 50
8 Tips for securing your system 8.1 Blocking services by port number and protocol To create a ruleset that explicitly passes packets for a specific service or services, but blocks all other traffic: 1. 2. Configure pass rules with the quick keyword to allow packets for specific services by port number and protocol. At the end of the ruleset, configure a rule to block all traffic (block in all).
PAGE 51
8.2 Creating a complete filter by interface When you create a ruleset, you should configure rules for all directions and all interfaces. The default state of IPFilter is to pass packets both in and out. Instead of relying on the IPFilter default behavior, make every ruleset as specific as possible, interface by interface, until all possibilities are explicitly covered.
PAGE 52
block in quick block in quick block in quick block in quick block in quick pass in all on on on on on lan0 lan0 lan0 lan0 lan0 from from from from from 192.168.0.0/16 to any 172.16.0.0/12 to any 10.0.0.0/8 to any 127.0.0.0/8 to an 20.20.20.0/24 to any 8.4 Using bidirectional filtering You can use bidirectional filtering to limit packets leaving a system to those that come from a specific subnet. For example, to limit traffic passing out of the IPFilter system to packets coming from the 20.20.20.
PAGE 53
9 Troubleshooting HP-UX IPFilter 9.1 Viewing IPFilter statistics and active rules with ipfstat The ipfstat utility displays IPFilter statistics, including how many packets have been passed or blocked, whether the packets were logged or not, how many state entries have been made, and DCA statistics. You can also use options with ipfstat to display active rules. 9.1.1 Syntax ipfstat [-options] 9.1.2 Options For a complete list of ipfstat options, see the ipfstat manpage.
PAGE 54
-r group:rule Displays the limit statistic by rule number. If you specify this option with the -6 option, ipfstatdisplays the IPv6 rule; if you specify this option without the -6 option, it displays the IPv4 rule. -v Sets verbose mode. Use for debugging. NOTE: Statistics counters cannot increment when both active in and out rulesets are empty. This is due to a performance optimization that bypasses IPFilter when there are no active rulesets present. 9.1.
PAGE 55
This status report shows that the ruleset may not be working as intended. Many outbound packets are being blocked despite a pass out rule configured to pass most outbound packets. ipfstat cannot indicate whether a ruleset is configured correctly. It can only display what is happening at the present time with a given ruleset. Set the -n option to display the rule number next to each rule. The rule number is displayed as @group:rule. This can help you determine which rules are incorrectly configured.
PAGE 56
The following is an example of the output information of the ipfstat -L option. Current connections to limited IP addresses Connection Type Active Limits Individual 2 Subnet 3 Cumulative 5 Unknown IP 9 Total 19 No Memory Logged Records Log Failures Limits Added Add Failures 0 13 0 13 0 • The first six lines display the number of current active connections of each described type. • No Memory is the number of times a limit entry could not be created because no memory was available.
PAGE 57
S—IP subnet C—Cumulative U—Unknown IP These limit entries are created through the default rule. See Section 5.4 (page 35) for detailed information on the different types of limit entries. • The Rule column displays the rule number that caused the creation of this limit entry. This information can in turn be used to get per-rule statistics using the ipfstat -r command. • The third through sixth columns display IP-port pairs of the TCP connection.
PAGE 58
-i input_filename Specifies the file that contains packet descriptors. The default is stdin. Each packet descriptor must be contained on one line. By default, the format for each packet descriptor is as follows: in|out [on interface] [protocol] src_host[,src_port] dest_host[,dest_port] [flags] Where: interface Specifies the interface name, such as lan0. protocol Specifies the protocol name. Valid values are: tcp udp icmp icmpv6 src_host Specifies the source IP address or host name.
PAGE 59
out on lan1 udp 10.1.85.196,16000 10.1.85.195,16000 out on lan0 udp 10.1.80.196,16000 10.1.85.195,16000 in on lan0 udp 10.1.81.195,16000 10.1.84.196,16000 in on lan1 udp 10.1.81.195,16000 10.1.85.196,16000 out on lan0 udp 10.1.84.196,16000 10.1.81.195,16000 out on lan1 udp 10.1.85.196,16000 10.1.81.195,16000 out on lan0 icmp 10.1.84.196 10.1.84.195 in on lan0 icmp 10.1.84.195 10.1.84.196 out on lan0 udp 10.1.80.196,16001 10.1.84.195,16000 out on lan0 udp 10.1.80.196,16001 10.1.85.
PAGE 60
block ip 28(20) 17 10.1.81.195,16000 > 10.1.85.196,16000 -------------input: out on lan0 udp 10.1.84.196,16000 10.1.81.195,16000 nomatch ip 28(20) 17 10.1.84.196,16000 > 10.1.81.195,16000 -------------input: out on lan1 udp 10.1.85.196,16000 10.1.81.195,16000 nomatch ip 28(20) 17 10.1.85.196,16000 > 10.1.81.195,16000 -------------input: out on lan0 icmp 10.1.84.196 10.1.84.195 nomatch ip 48(20) 1 10.1.84.196 > 10.1.84.195 -------------input: in on lan0 icmp 10.1.84.195 10.1.84.196 pass ip 48(20) 1 10.1.84.
PAGE 61
The valid values for facility are: kern user mail daemon auth syslog lpr news uucp cron ftp authpriv audit logalert local0 local1 local2 local3 local4 local5 local6 local7 The valid values for priority are: emerg alert crit err warn notice info debug Example: block in log level auth.info quick on lan0 from 20.20.20.0/24 to any block in log level auth.alert quick on lan0 proto tcp from any to 20.20.20.0/24 port = 21 9.3.1.
PAGE 62
9.3.2.1 Syntax ipmon -options 9.3.2.2 Options -a Opens and reads data from all available log files. Equivalent to -o NSI. -o [NSI] Specifies which log file to read data from. Valid values are: • N—NAT log file • S—State log file • I—IPFilter log file -A Logs the summary records created for DCA logging. -r Prints the summary records to the summary log file and clears the block count for each limit entry. -F Flushes the packet log buffer. Output displays the number of bytes flushed.
PAGE 63
• Field 5—Packet source, in the format ip_address,port • Field 6—Packet destination, in the format ip_address,port • Field 7 and 8—Protocol • Field 9—Packet size • Field 10—Flags set on packet Use the ipfstat -in command to determine the text of the rule that created the log entry. In the previous example, you would use this command to look at rule 2 in rule group 0 (@0:2). IPFilter sometimes logs a packet matching a keep state rule in the normal (non-state) IPFilter log file.
PAGE 64
9.3.3.2 ipmon.conf file syntax match {} do {} If an UDP packet is coming from 10.1.1.41 and it is blocked as per configured IPF rules, then ipmon sends a mail to the root account with the message "blocked UDP packet from 10.1.1.41". For example: match { srcip = 10.1.1.41/32, protocol = udp, result = block } do {execute "/usr/bin/mail -s 'blocked UDP packet from 10.1.1.41' root" }; If an ICMP packet is going to 10.1.1.
PAGE 65
NOTE: If you are using /etc/opt/ipf/ipf.conf as your rules file, then IPFilter will load it at boot time. The IPFilter startup script /sbin/init.d/ipfboot: ◦ Loads the IPFilter module. ◦ Starts the logging daemon, ipmon. ◦ Loads any uncommented rules in the /etc/opt/ipf/ipf.conf file. ◦ Loads any uncommented rules in the /etc/opt/ipf/ipf6.conf if IPv6 is enabled on the system.
PAGE 66
• • • Output from the following commands: ◦ ipf -V ◦ ipfstat -v ◦ ipfstat -nio ◦ ipfstat -aio ◦ ipfstat -hio ◦ ipfstat -Iio ◦ ipfstat -s ◦ ipfstat -sl ◦ ipfstat -f ◦ ipfstat -g ◦ ipfstat -Q (on HP-UX 11i v3 systems) Relevant IPFilter configuration files: ◦ /etc/rc.config.d/ipfcon ◦ /etc/opt/ipf/ipf.conf (or alternate IPv4 filter rules file) ◦ /etc/opt/ipf/ipnat.conf (or alternate NAT rules file) ◦ /etc/opt/ipf/ipf6.
PAGE 67
10 HP-UX IPFilter utilities 10.1 The ipf utility The ipf utility performs a broad range of actions on the active and inactive IPFilter rulesets. You can use ipf to add rules, delete rules, switch active and inactive rulesets, and flush the existing ruleset from the system. You can perform other actions with ipf. See the ipf manpages for more information. 10.1.1 Syntax ipf -options [-f rules_file_name] 10.1.
PAGE 68
-s Switches the active ruleset with the inactive ruleset. IPFilter maintains an active ruleset and an inactive ruleset. The active ruleset is the ruleset used for IPFilter operations, and the inactive ruleset is a supplementary, reserve ruleset. If you specify this option with the -6 option, this option affects the IPv6 rulesets; if you specify it without the -6 option, this option affects the IPv4 rulesets. -Fa Flushes all rules in the specified ruleset.
PAGE 69
processing. -Q interface_name Queries if IPFilter processing is enabled or disabled for a given interface. If you specify this option with the -6 option, it queries the status of IPv6 IPFilter processing; if you specify this option without the -6 option, it queries the status of IPv4 IPFilter processing. The -E, -D, and -Q commands let you control IPFilter processing on a given interface. For example, ipf -D lan0 disables IPv4 IPFilter processing for traffic on lan0.
PAGE 70
10.3.2 Options -e Enables the HP-UX IPFilter module. -d Disables the HP-UX IPFilter module. -q Queries the HP-UX IPFilter module and displays whether it is enabled or disabled. -l Lists the interfaces and shows which are protected or unprotected by IPFilter. -ei Enables IPFilter in interactive mode. -di Disables IPFilter in interactive mode. CAUTION: HP recommends that you enable or disable IPFilter when interrupting network connectivity is not disruptive.
PAGE 71
-f Reads IP pool configuration information from the file and load it into the kernel. -F Flushes loaded pools from the kernel. -l Displays a list of pools currently loaded into the kernel. -r Removes an existing data node from a pool in the kernel. -R Removes an existing pool from within the kernel. -s Displays IP pool statistical information. -i [/] Sets the IP address for the current operation with an all-ones mask.
PAGE 72
11 HP-UX IPFilter and ICMP 11.1 Filtering ICMPv4 packets by type and code: icmp-type and code You can filter specific types of ICMPv4 (ICMP) traffic using the icmp-type and code keywords. These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service (DoS) attacks, but must allow certain types of ICMP messages in and out of your system. You must specify proto icmp to use the icmp-type and code keywords.
PAGE 73
Table 2 ICMP type and codes (continued) Type Code icmp-type Meaning icmp-code 4 0 5 squench SOURCE QUENCH redir REDIRECT network host network & TOS host & TOS 8 0 echo ECHO REQUEST (ping request) 0 routerad ROUTER ADVERTISEMENT 0 routesol ROUTER SOLICITATION timex TIME EXCEEDED 11 TTL=0 during transmit TTL=0 during reassembly 12 paramprob PARAMETER PROBLEM 13 0 timest TIMESTAMP REQUEST 14 0 timestrep TIMESTAMP REPLY 15 0 inforeq INFO REQUEST (obsolete) 16 0 inforep
PAGE 74
NOTE: Note: If your topology matches the following conditions, your system may mark gateways "down" and the system will lose connectivity to remote systems through those gateways. • The local system is an HP-UX 11i v1 system without patch PHNE_35351 or later installed, or an HP-UX 11i v2 system without patch PHNE_35765 or later installed. • The ip_ire_gw_probe feature is enabled (ip_ire_gw_probe is set to 1).
PAGE 75
11.2.3.1 IPFilter configuration HP recommends that you configure IPFilter to process ICMP redirect messages as follows: • End systems On end systems, block all inbound ICMP redirect messages without logging them. Block all outbound ICMP redirect messages (end systems have no need to send ICMP redirect messages).
PAGE 76
11.2.6 Using ndd to configure ICMPv4 kernel parameters The ICMPv4 (ICMP) kernel tunable parameters in this chapter are all configured using the ndd utility. Parameter values that you set by running ndd are not retained when the system reboots. You can configure parameter values in the ndd startup file, /etc/rc.config.d/nddconf, so ndd will set the configured values each time the system starts up. To add an ICMP configuration value to /etc/rc.config.
PAGE 77
The IANA list of assigned ICMPv6 type numbers option numbers contains the registered ICMPv6 type and code values and the documents that define these values. This list is available at the following URL: http://www.iana.org/assignments/icmpv6-parameters For example, to block inbound Node Information Queries (type 139) to your system (2001:db8::1), create the following rule: pass in quick proto icmp from any to 2001:db8::1 icmpv6-type 139 11.
PAGE 78
12 HP-UX IPFilter and FTP CAUTION: NAT and FTP are incompatible. If you are using FTP on your IPFilter system, do not use NAT rules. 12.1 FTP basics The File Transfer Protocol (FTP) is a user-level protocol for transferring files between host computers. An FTP session involves two separate connections: • Control connection 1. The server listens for client connections on port 21. 2. The client opens a connection to the server port 21 on a client port above 1023. 3.
PAGE 79
12.3.1 Active FTP FTP Server Direction of Connection Initiated FTP Client port 21 (control port) <---------------- any port 1024 or higher port 20 (data port) ----------------> any port 1024 or higher On an FTP server using active FTP, configure IPFilter rules to allow control connections in and data connections out.
PAGE 80
NOTE: FTP Proxy is not supported by HP. For a complete list of unsupported utilities and commands, see Section A.4 (page 97). 12.4.2 Passive FTP FTP server Direction of connection initiated FTP client port 21 (control port) <---------------- any port 1024 or higher any port 1024 or higher (data port) <---------------- any port 1024 or higher To let an FTP client open a passive FTP session, configure IPFilter to allow both the control and data connections out.
PAGE 81
13 HP-UX IPFilter with NFS and RPC 13.1 Introduction The NFS service uses multiple daemons. The NFS daemon, nfsd, listens for requests on the static (fixed) TCP and UDP port number 2049. By default, the auxiliary daemons used for the NFS services—rpc.lockd (lockd), rpc.mountd (mountd), and rpc.statd (statd)—listen for service requests on dynamic port numbers. These daemons use the Remote Procedure Call (RPC) protocol and register their port numbers with the port mapper daemon (rpc.
PAGE 82
13.3 Using the rpc.ipfboot script to update IPFilter rules The /etc/opt/ipf/rpc.ipf/rpc.ipfboot script to queries the port mapper and updates IPFilter rules files with the appropriate port numbers. This script is useful if you cannot run the auxiliary NFS daemons using fixed ports as described in the previous section, or if you want IPFilter to process packets for other daemons that use the RPC mechanism.
PAGE 83
The /etc/opt/ipf/rpc.ipf/rpc_ipfconf file contains the client list and program list. The sample file grants access to the program numbers listed from the IP addresses and IP subnets listed in the client list. The example shown in the sample file lists the program numbers used by an NFS server, rpc.mountd, rpc.statd, rpc.lockd, and nfsd. This file also has the following declared: • ADD_RPC_IPFILTER_RULES=1 Set this to 1 to configure RPC IPFilter rules.
PAGE 84
14 HP-UX IPFilter and IPSec 14.1 IPFilter and IPSec basics IPSec and IPFilter will not panic or corrupt each other. However, there are situations in which one product might block traffic for the other. The following figure shows the positions of IPFilter and IPSec in the network stack: Figure 1 IPFilter and IPSec IPFilter, which is below IPSec in the networking stack, filters network packets before they reach IPSec.
PAGE 85
To enable IPSec to complete IKE negotiations, configure IPFilter to allow the IKE negotiation packets through. Figure 3 Scenario two In Scenario two, IPFilter is configured to block UDP traffic on system A, you want all TCP traffic to pass through . From system B on the network, you want all TCP traffic encrypted. System A has IP address 10.10.10.10 and system B has IP address 15.15.15.15. You configure IPSec on each system to encrypt packets between two systems.
PAGE 86
Figure 5 Packet with unencrypted TCP data Figure 6 Packet with IPSec-encrypted TCP data IPFilter never sees the TCP packets between system A and system B with a protocol number of 6. These packets are encrypted (or wrapped) in a packet that has a protocol number of 50. If you configure IPFilter to block packets with protocol number 6, it lets protocol number 50 pass through. IPSec takes apart the packet and decrypt the TCP data.
PAGE 87
15 HP-UX IPFilter and Serviceguard 15.1 Using HP-UX IPFilter with Serviceguard HP-UX IPFilter supports local failover in a Serviceguard environment. CAUTION: NAT functionality is not supported with Serviceguard. 15.1.1 Enabling or disabling IPFilter CAUTION: HP recommends that you enable or disable IPFilter when interrupting network connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX IPFilter when critical network applications are running.
PAGE 88
for each node in the cluster. Rules that filter on interface names will also be different on different nodes in a cluster. 15.1.3.1 Filtering on a package IP address HP-UX IPFilter can filter on a package IP address. The package IP address is an IP address that corresponds to a logical network interface. For example, a telnet connection is made to the primary cluster node with a package IP address of 17.13.24.105. You want to configure IPFilter to let telnet traffic through.
PAGE 89
NOTE: This list of HA services is not exhaustive. In addition, Serviceguard also uses dynamic ports (typically in the 49152–65535 range) for some cluster services. If you have adjusted the dynamic port range using kernel tunable parameters, alter your rules accordingly. This list does not include all HA applications (such as Continental Cluster). New HA applications might be developed that use port numbers in addition to the listed numbers.
PAGE 90
# Allow hacl-poll for HA Cluster TCP polling (cmappserver for hpvm or APPSERV) pass in quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flag S keep state pass out quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flag S keep state To enable users on cluster nodes to run the cmscancl command, you must configure rules to allow remote shell packets (TCP port 514). 15.1.3.
PAGE 91
15.1.3.3.
PAGE 92
In the previous set of rules, cluster_nodes are all nodes in the cluster, smh_mgmt is the address of the SMH Management Station, and clog_tcp is the TCP port configured for the clog package. 15.1.4 DCA remote failover Normally, IPFilter keep state rules are configured with the flags S parameter. This parameter instructs IPFilter to create a TCP state entry only when a SYN packet is parsed. To enable transparent failover between IPFilter DCA nodes, do not use flags S with keep limit rules.
PAGE 93
16 Support and other resources 16.1 Contacting HP 16.1.1 Before you contact HP Be sure to have the following information available before you call contact HP: • Technical support registration number (if applicable) • Product serial number • Product model name and number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level 16.1.
PAGE 94
16.2.1 Fixes for HP-UX 11i v3 QXCR1001042506 HP-UX IPFilter rules loading returns ENOMEM even when memory is available. QXCR1001042389 The ipf command shows slower performance when loading a big rule file with A.11.31.16 and A.11.31.17. QXCR1001042502 High memory usage when loading large number of HP-UX IPFilter rules. QXCR1001030338 ipfstat -r not working in HP-UX IPFilter A.11.xx.17 release.
PAGE 95
Ctrl+x A key sequence. A sequence such as Ctrl+x indicates that you must hold down the key labeled Ctrl while you press another key or mouse button. ENVIRONMENT VARIABLE The name of an environment variable, for example, PATH. ERROR NAME The name of an error, usually returned in the errno variable. Key The name of a keyboard key. Return and Enter both refer to the same key. Term The defined use of an important word or phrase. User input Commands and other text that you type.
PAGE 96
A Product specifications A.1 Configuration files HP-UX IPFilter uses the following configuration files: • /sbin/init.d/ipfboot The startup script for the ipf module. • /etc/rc.config.d/ipfconf Configuration file for the ipfboot startup script. The information in this file determines how HP-UX IPFilter starts when the system is booted and also specifies the location of the rules files. • /etc/opt/ipf/ipf.conf The default IPFilter IPv4 rules file.
PAGE 97
• /sbin/ipnat • /opt/ipf/bin/ipfilter (supported on HP-UX 11i v3 only) A.4 Unsupported utilities HP does not support the following public domain IPFilter utilities and commands: • • • Rule keywords ◦ dup-to ◦ fastroute ◦ to Commands ◦ ipscan ◦ ipsyncs ◦ ipsyncm ◦ ipfs ◦ ipsend ◦ ipresend Application proxy A.5 Supported and unsupported interfaces The following table lists the interfaces supported for the current versions of HP-UX IPFilter.
PAGE 98
Table 3 HP-UX IPFilter supported interfaces IPFilter version Supported interfaces • Ethernet (10Base-T) • Fast Ethernet (100Base-T) • Gigabit Ethernet (1000Base-T) • 10 Gigabit Ethernet HP-UX A.11.xx.17.xx • APA • VLAN • FDDI • Token Ring • InfiniBand (supported on HP-UX 11i v2 only) • X.25 (supported on HP-UX 11i v3 only) • Ethernet (10Base-T) • Fast Ethernet (100Base-T) • Gigabit Ethernet (1000Base-T) • 10 Gigabit Ethernet HP-UX A.11.xx.
PAGE 99
Table 3 HP-UX IPFilter supported interfaces (continued) IPFilter version Supported interfaces Open source versions: • Ethernet (10Base-T) A.03.05.14 (HP-UX 11i v1 and HP-UX 11i v2) • Fast Ethernet (100Base-T) A.03.05.13 (HP-UX 11i v3) • Gigabit Ethernet (1000Base-T) A.03.05.12 • APA A.03.05.11.01 • VLAN A.03.05.10 A.03.05.10.02 A.03.05.10.04 A.03.05.06.
PAGE 100
B HP-UX IPFilter configuration examples This appendix provides IPFilter configuration examples that are also included in the/opt/ipf/ examples directory with HP-UX IPFilter. You can take useful rules that you find in these examples and copy them into /etc/opt/ipf/ipf.conf, which is your HP-UX IPFilter configuration file. These files are taken from the files provided with the open source IPFilter product. B.1 BASIC_1.
PAGE 101
pass in quick proto tcp from any to any port = ftp keep state group 201 pass in quick proto tcp from any to any port = ftp-data keep state group 201 pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 # # Allow NTP from any internal host to any external NTP server.
PAGE 102
# #------------------------------------------------------# Localhost packets. # ================== # packets going in/out of network interfaces that aren’t on the # loopbackinterface should *NOT* exist block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 200 block in log quick from any to 127.0.0.
PAGE 103
# # # block all outbound packets. # block out from any to any # # # allow any host to send any IP packet out to a limited number # of hosts. # pass out from any to 10.1.3.1/32 pass out from any to 10.1.3.2/32 pass out from any to 10.1.3.3/32 pass out from any to 10.1.3.4/32 pass out from any to 10.1.3.5/32 pass out from any to 10.1.0.13/32 pass out from any to 10.1.1.1/32 pass out from any to 10.1.2.1/32 B.6 example.4 # # block all ICMP packets. # block in proto icmp from any to any # B.7 example.
PAGE 104
B.9 example.7 # block all ICMP packets. # block in proto icmp all # # allow in ICMP echos and echo-replies. # pass in on lan1 proto icmp from any to any icmp-type echo pass in on lan1 proto icmp from any to any icmp-type echorep # # block all ICMP destination unreachable packets which are # port-unreachables # block in on lan1 proto icmp from any to any icmp-type unreach code 3 B.10 example.
PAGE 105
# through to host 10.1.1.2 if they are destined for port 6667. # pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are # destined for localhost # pass in proto udp from 10.2.2.2 port != 53 to localhost # # block any packet trying to get to X terminal ports, X:0 to # X:9 # block in proto tcp from any to any port 5999 >< 6010 # # allow any connections to be made,except to BSD # print/r-services this will also protect syslog.
PAGE 106
# 10.3.3.1 # pass in on lan0 to lan1:10.3.3.1 proto icmp all B.16 example.sr # # # # # # # # # log all inbound packets on lan0 which has IP options present log in on lan0 from any to any with ipopts block any inbound packets on lan0 which are fragmented and "too short" to do any meaningful comparison on. This actually only applies to TCP packets which can be missing the flags/ports (depending on which part of the fragment you see).
PAGE 107
block in on lan0 proto icmp from any to 10.1.3.0/24 block in on lan0 proto icmp from any to 10.1.1.0/24 block in on lan0 proto icmp from any to 10.1.2.0/24 B.17 firewall #Configuring IP Filter for firewall usage. ========================================= Step 1 - Block out "bad" IP packets. -----------------------------------Run a) b) c) the perl script "mkfilters".
PAGE 108
pass out quick on lan0 proto udp from any to any port = 53 keep state block out on lan0 proto udp all block in on lan0 proto udp all B.20 BASIC.NAT #!/sbin/ipnat -f # # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # lan0 - (internal) network interface, address w.x.y.z/32 # # If only one valid IP address from the ISP, then use this # rule: # map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 map ppp0 w.x.y.z/24 -> a.b.c.
PAGE 109
map lan1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 map lan1 10.1.0.0/16 -> 240.1.0.0/24 # # Redirection is triggered for input packets. # For example, to redirect FTP connections through this box # to the local ftp port and force them to connect # through a proxy, you would use: # rdr lan0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp B.22 nat-setup Configuring NAT on your network.
PAGE 110
For example (using the above NAT rules), if you wanted to prevent all hosts in the 10.1.2.0/24 subnet from using NAT, you might use the following rule with ipf: block out on ppp0 from 10.1.2.0/24 to any block in on ppp0 from any to 10.1.2.0/24 and use these with ipnat: map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap B.23 ipmon.
PAGE 111
C HP-UX IPFilter kernel tunable parameters C.1 Overview HP-UX IPFilter supports the following kernel tunable parameters: Name Description Default value fr_tcpidletimeout The timeout period for TCP entries in the state table. 86,400 seconds fr_statemax Specifies the maximum number of state table entries that can 800,000 entries be created.
PAGE 112
C.3 fr_statemax The fr_statemax parameter specifies the maximum number of entries in the IPFilter state table. Name Range Default value Configuration utility fr_statemax 4,000 - 1,600,00 entries 800,000 entries HP-UX 11i v1: kmtune HP-UX 11i v2 and HP-UX 11i v3: kctune IPFilter allocates state table entries for packets using stateful (keep state) and Dynamic Connection Allocation (keep limit) rules. IPFilter also maintains a limit table to count the state table entries for DCA rules.
PAGE 113
record was repeated. If this feature is disabled, IPFilter writes all log records, including duplicate records. Name Range Default value Configuration utility ipl_suppress 0 (disabled) - 1 (enabled) 1 HP-UX 11i v1 and HP-UX 11i v2: ndd HP-UX 11i v3: kctune C.7 ipl_logall The ipl_logall parameter specifies if IPFilter includes the first 128 bytes of a packet in log records or all the contents of a packet when the log body keywords are specified in a rule.
PAGE 114
ipl_logall cur_iplbuf_sz (read only) On HP-UX 11i v1, you can also use the ndd utility to configure and view the ipf_icmp6_passthru parameter, as described in Section 11.4 (page 77). NOTE: You cannot add the IPFilter ndd variables to the ndd configuration file read at system startup time (/etc/rc.config.d/nddconf). When the system starts up, the IPFilter ndd variables are reset to their default values. The network device for the IPFilter parameters is /dev/pfil.
PAGE 115
D HP-UX IPFilter static linking D.1 Overview IPFilter has two kernel modules, pfil, a streams module and ipf, a WSIO pseudo driver. These are dynamically loadable kernel modules. When IPFilter is installed on an HP-UX system using swinstall, these two modules are loaded and configured as dynamically linked modules. They can be loaded and unloaded when required without shutting down the system as long as the modules are not currently in use. D.
PAGE 116
2. Use the kmsystem command to find the status of each module. See the kmsystem(1M) manpage for more detail. For example: $ kmsystem -q pfil Module Configured Loadable pfil Y Y The output is similar for the ipf module. This output shows that the pfil module is loadable. 3. Use the kmsystem command to set the loadable parameter to N. $ kmsystem -l N -c Y ipf $ kmsystem -q ipf Module Configured Loadable ipf Y N $ kmsystem -l N -c Y pfil 4.
PAGE 117
E Performance guidelines E.
PAGE 118
You do not need to flush and reload an entire ruleset to modify some rules within the ruleset. Adding rules that already exist slows processing. If you are modifying a large ruleset, follow these steps: 1. Find the difference between the new ruleset and the current ruleset using the diff command. 2. Delete the old rules using the ipf -rf command. 3. If your ruleset contains keep limit rules, modify the rules with the ipf -f command. 4. Add the new rules using the ipf -f command.
PAGE 119
• Consolidate rules whenever possible, to minimize searching. For example: pass pass pass pass pass pass pass pass pass pass in in in in in in in in in in quick quick quick quick quick quick quick quick quick quick proto proto proto proto proto proto proto proto proto proto tcp tcp tcp tcp tcp tcp tcp tcp tcp tcp from from from from from from from from from from 15.13.103.72 to any keep limit 80 15.13.103.0-15.13.103.6 to any keep limit 44 15.13.103.7 to any keep limit 33 15.13.103.
PAGE 120
Figure 9 System operation E.5 Performance monitoring The performance of an IPFilter system depends primarily on four major factors: • Number and length of rule searches (rule organization) • Types of rules • Network traffic • System configuration Monitor your system performance to ensure proper operation. HP recommends they following: • Use ipfstat -ioh to monitor the rule searches. If a rule has a high hit count, this indicates that the rule can be optimized.
PAGE 121
Index A Dynamic Connection Allocation see DCA dynamic linking, 115 active rules list, 29 adding keep limit rules, 39 address pooling, 48 E B bidirectional filtering in keyword, 17 out keyword, 17 bidirectional filtering with IPSec, 85 bimap keyword, 47 block keyword, 17 blocked traffic IPSec correcting, 85 C checklist installation and configuration, 12 commands unsupported, 97 configuration checklist, 12 DCA rules file, 34 IPv6 rules file, 31 NAT rules file, 42 rules file, 16 rules processing, 16, 42 v
PAGE 122
error status messages, 25 filtering on, 23, 72 keeping state with, 25 icmp-type keyword, 23, 72 ICMPv6 IPv6, 32 in keyword, 17 inactive rules list, 29 installation checklist, 12 loading software, 12 prerequisites, 12 verifying, 14 integrating keep limit rules, 39 interface-specific filtering, 20 interfaces supported, 97 unsupported, 97 interoperability IPSec, 84 IP address filtering by, 17 limiting connections by, 35 ipf, 67 -6 option, 67 -A option, 29 -D option, 68 -E option, 68 -f option, 28, 33 -Fa optio
PAGE 123
allowing traffic through the firewall, 85 bidirectional with IPFilter, 85 debugging blocked traffic with, 85 gateway, 86 UDP negotiation, 84 IPSec and IPFilter, 84 IPv6 differences, 31 extension headers, 32 features, 31 file configuration, 31 filter rules, 31 fragmentation, 33 ICMPv6 filtering, 32 ipf, 33 protocol-based filtering, 32 rules configuration, 31 stateful ICMPv6, 32 tunneled packets, 32 unsupported features, 31, 96 K kcmodule, 14 static linking, 115 kctune, 113 keep frags keyword, 26 keep limit
PAGE 124
monitoring IPFilter, 61 multi-level grouping, 28 N NAT file configuration, 42 viewing and loading rules, 69 NAT keywords bimap, 47 map, 43 map-block, 44 portmap, 43 rdr, 44 nat tags, 30 netstat, 65 nslookup, 25 O on keyword, 20 opt keyword, 22 out keyword, 17 P package IP address, 88 pass keyword, 17 patch dependencies, 12 performance guidelines, 117 performance monitoring, 120 rule configuration, 118 rule loading, 117 system configuration, 117 traffic, 119 performance improvement, 27 performance informa
PAGE 125
mandatory rules, 88 Quorum Server, 90 remote command execution, 90 Serviceguard Manager, 91 services, 88 single-user mode, 14 software, loading, 12 state aging, 26 state table dump, 55 static linking, 115 HP-UX 11i v1, 115 HP-UX 11i v2, 115 HP-UX 11i v3, 115 removing IPFilter software, 115, 116 sticky NAT sessions, 46 summary logs for cumulative limits, 37 supported interfaces, 97 swinstall, 12 swlist, 12 system configuration guidelines, 117 system traffic guidelines, 119 W with frags keyword, 23 with shor
PAGE 126