Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
NOTE: Do not run the HP-UX IPFilter product when the system is booted in single-user mode.
2.4 Step 3: Verifying the installation
Use the following commands to verify the HP-UX IPFilter installation.
Verify that HP-UX IPFilter is running using the -V option of the ipf command:
ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.11.31.17.05) (488)
Kernel: HP IP Filter: v3.5alpha5 (A.11.31.17.05)
Enabled: yes
Filtering: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Verify that HP-UX IPFilter has been correctly loaded.
On HP-UX 11i v2 and HP-UX 11i v3, enter the following commands:
# kcmodule -v -q pfil
# kcmodule -v -q ipf
Verify that the state is loaded.
2.5 Step 4: (Optional) Modifying kernel tunable parameters
HP-UX IPFilter supports kernel tunable parameters that affect IPFilter logging behavior and the
IPFilter state table. For information about modifying them, see Appendix C (page 111).
In addition, Chapter 11 (page 72) describes system kernel tunable parameters that control ICMP
features and how to configure them to optimize security.
NOTE: The HP-UX IPFilter installation script disables subnet broadcast packet forwarding by
setting the kernel tunable parameter ip_forward_directed_broadcasts to 0. HP recommends
that you leave this feature disabled unless you have a specific need for your node to forward subnet
broadcast packets. Attackers can use subnet broadcast packet forwarding to amplify attacks in
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
2.6 Removing HP-UX IPFilter
Use the following procedure to remove HP-UX IPFilter.
1. On HP-UX 11i v3 systems, disable HP-UX IPFilter:
/opt/ipf/bin/ipfilter -d
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX IPFilter
when critical network applications are running.
Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up only
the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/rc.config.d/
netconf-ipv6 files. IP addresses not configured in the netconf or netconf-ipv6 file,
such as Serviceguard relocatable IP addresses, are not re-enabled.
Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a system
has several IP interfaces or there is heavy network traffic, the time required to re-establish
network connectivity might be interpreted as a network or card failure. For example,
Serviceguard might interpret a network interruption as a card failure, which can cause it to
reform the cluster.
14 Installing HP-UX IPFilter