Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
You can use this command when IPFilter is running.
3.9 Rule tags
3.9.1 Log tags
This tag is used in IPF rules to help with parsing log files. Use log tags to find a particular logged
packet belonging to an IPF rule.
For example, to block all TCP packets from 10.1.1.42 and ipmon log packets in syslog and use
log-tag (log-tag rule1) to help with parsing logfile:
block in log proto tcp from 10.1.1.42/32 to any set-tag(log=rule1)
3.9.2 NAT tags
This tag creates implied join between IPF rules and NAT rules. NAT tags are used in both IPF rules
and NAT rules. There are two kinds of NAT rules; map and rdr. The map rules are processed in
OUT path and runs source address translation. The rdr rules are processed when packets enter
the system and runs destination address translation.
Use nat-tag in the rdr rule corresponding to the IPF rule in IN path. Use nat-tag in the map
rule corresponding to the IPF rule in OUT path. In IN path, NAT processing takes place first, followed
by filter checking. In OUT path, filter checking takes place first, followed by NAT processing.
In the following example, nat-tag is in rdr (NAT) rule and IPF rule. The rdr rule packets coming
to 10.1.1.40 are redirected to 10.1.1.41. In the IPF rule, if the same packet is coming from
10.1.1.42, then it matches the rule and blocks that packet. If nat-tag in the rdr (NAT) rule is
changed to some other value, then the IPF rule does not match even if the packet is coming from
10.1.1.42, and the packet is allowed through.
rdr lan4 10.1.1.40/32 port 23 -> 10.1.1.41 tag test-tag
block in from 10.1.1.42 to 10.1.1.41 set-tag(nat=test-tag)
The following example allows the packet to 10.1.1.41, and map rule changes the source address
from 10.1.1.42 to 10.1.1.40 if nat-tag matches. If nat-tag is changed to some other value
in the IPF rule, then map rule does not translate the source address, even if the packet is coming
from 10.1.1.42.
pass out from 10.1.1.42 to 10.1.1.41 set-tag(nat=test-tag)
map lan4 10.1.1.42/32 -> 10.1.1.40 tag test-tag
For more information, see the ipnat(4) and ipf(4) manpages. See also Chapter 6 (page 42).
NOTE: This is available only on HP-UX 11i v3.
30 Configuring and loading IPv4 filter rules