HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3
1 Overview
HP-UX IPFilter, product number B9901AA version 17.05, is a TCP/IP packet filter suitable for use
as a system firewall. The version string is A.11.31.17.05 for HP-UX 11i v3 and A.11.23.17.05
for HP-UX 11i v2.
HP-UX IPFilter functions as a firewall by examining and limiting packets allowed in and out of an
HP-UX system, which can be either an end node or an IP router. Although HP-UX IPFilter is a superset
of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product (developed by
Darren Reed), HP does not support some of the perimeter firewall features in that release, such as
firewall stealth (fastroute). If you are using features that are not supported by HP, you can
request support from the open source IPFilter web site at the following URL:
http://caligula.anu.edu.au/~avalon
For a complete list of commands and utilities that are not supported by HP, see Section 1.2
(page 11).
HP-UX IPFilter version 17.05 is available from the HP Software Depot at the following URL:
http://www.software.hp.com.
1.1 Benefits and features
HP-UX IPFilter provides the following key benefits:
• Protects an individual host on an intranet against internal attacks
• Protects an individual host on an intranet against external attacks that have breached perimeter
defenses
• Provides an alternative to the restricted configuration of Internet Services
• Protects a bastion host on the perimeter of a private network or in the “demilitarized zone”
(DMZ)
The following major features are included with HP-UX IPFilter for HP-UX 11i v3:
• Rate-based filtering
• Address pooling
• The ippool utility
• The ippool.conf file
• State aging
• Log tags
• NAT tags
• Sticky NAT sessions
• Connection health checking with l4check
• IPFilter Log Events analysis
• Rule groups
• Explicitly permit or deny a packet from passing through based on:
IP address or a range of IP addresses◦
◦ IP protocol (IP/TCP/UDP)
◦ IP fragments
◦ IP options
10 Overview