HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3
A complete ruleset for this situation would be complex and significantly slow user connections to
the network. To prevent this, a ruleset is created with rule groups:
block in quick on lan0 all head 1
block in quick on lan0 from 192.168.0.0/16 to any group 1
block in quick on lan0 from 172.16.0.0/12 to any group 1
block in quick on lan0 from 10.0.0.0/8 to any group 1
block in quick on lan0 from 127.0.0.0/8 to any group 1
block in log quick on lan0 from 20.20.20.0/24 to any group 1
block in log quick on lan0 from any to 20.20.20.0/32 group 1
block in log quick on lan0 from any to 20.20.20.63/32 group 1
block in log quick on lan0 from any to 20.20.20.64/32 group 1
block in log quick on lan0 from any to 20.20.20.127/32 group 1
block in log quick on lan0 from any to 20.20.20.128/32 group 1
block in log quick on lan0 from any to 20.20.20.255/32 group 1
pass in on lan0 all group 1
pass out on lan0 all
block out quick on lan1 all head 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 20 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.65/32 port = 53 flags S keep state group 10
pass out quick on lan1 proto udp from any to 20.20.20.65/32 port = 53 keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.66/32 port = 53 flags S keep state group 10
pass out quick on lan1 proto udp from any to 20.20.20.66/32 port = 53 keep state group 10
For a host on the lan2 network, IPFilter bypasses all the rules in group 10 when a packet is not
destined for hosts on that network.
Multi-level grouping is also supported, allowing IPFilter rules to be arranged in hierarchical, nested
groups. By using the head and group keywords in a rule, multi-level grouping allows the user to
fine tune a range to improve performance. The following is an example of a multi-level rule grouping:
pass in proto tcp from 1.0.0.0-9.0.0.0 to any port = 23 keep state head 1
pass in proto tcp from 2.0.0.0-8.0.0.0 to any port = 23 keep state head 2 group 1
pass in proto tcp from 3.0.0.0-7.0.0.0 to any port = 23 keep state head 3 group 2
pass in proto tcp from 4.0.0.0-6.0.0.0 to any port = 23 keep state head 4 group 3
pass in proto tcp from 5.0.0.0-5.5.0.0 to any port = 23 keep state group 4
You can group your rules by protocol, system, netblock, or other logical criteria that help system
performance. The maximum number of nested group levels you can configure is 128. For more
information, see Appendix E (page 117).
Rule groups can also be referenced by names on HP-UX 11i v3. Referencing groups by name
makes rule configuration more readable and helps in assigning some meaningful group name.
For example, if we have three groups for external network, DMZ network, and protected network,
then we can refer to groups with the following group name:
block in quick on lan0 all head external-group
block in quick on lan0 from 192.168.0.0/16 to any group external-group
block in quick on lan0 from 172.16.0.0/12 to any group external-group
block out quick on lan1 all head DMZ-group
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group DMZ-group
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state group DMZ-group
block out quick on lan2 all head protected-group
pass out quick on lan2 proto tcp from any to 20.20.20.164/26 port = 80 flags S keep state group protected-group
pass out quick on lan2 proto tcp from any to 20.20.20.164/26 port = 21 flags S keep state group protected-group
3.8 Loading IPv4 filter rules
By default, HP-UX IPFilter starts on bootup and loads IPv4 filter rules from the /etc/opt/ipf/
ipf.conf file. If you do not want IPv4 filter rules to load on bootup, place your rules in an alternate
location and then manually load the rules using the ipf command. The following tasks are some
of the most commonly used:
• To add new rules to your ruleset from a file, use the -f option with the ipf command:
ipf -f rules_file
If a rule in the file is already loaded in the ruleset, IPFilter will print a message but continue
processing the file.
28 Configuring and loading IPv4 filter rules