Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
61626364656667686970
9.3.3.2 ipmon.conf file syntax
match {<matching rules>} do {<action>}
If an UDP packet is coming from 10.1.1.41 and it is blocked as per configured IPF rules, then
ipmon sends a mail to the root account with the message "blocked UDP packet from 10.1.1.41".
For example:
match { srcip = 10.1.1.41/32, protocol = udp, result = block }
do {execute "/usr/bin/mail -s 'blocked UDP packet from 10.1.1.41' root" };
If an ICMP packet is going to 10.1.1.40 and it is allowed as per configured IPF rules, then ipmon
logs this packet in syslog. For example:
match { dstip = 10.1.1.40/32, protocol = icmp, result = pass }
do { syslog };
If a packet is coming on interface lan4 and it matches to a keep state rule, then ipmon logs it in
syslog and saves the log in a separate file /state_save. For example:
match {interface = lan4, type = state}
do { syslog, save "/state_save" };
9.4 Troubleshooting tips
This section describes how to troubleshoot an HP-UX IPFilter configuration. It provides information
about possible problems that might occur along with the steps needed to resolve them.
HP-UX IPFilter is not filtering packets (it passes/allows all network packets).
On HP-UX 11i v3 systems, verify that HP-UX IPFilter is enabled by entering the following
command:
ipfilter -q
If IPFilter is not enabled, enable it by entering the following command:
ipfilter -e
Load the rulesets after enabling IPFilter. See Section 3.8 (page 28),
On all HP-UX versions, verify that HP-UX IPFilter is running by entering the following command:
ipf -V
The running field should say yes. If it says no, then the HP-UX IPFilter module has not been
loaded. It might have been explicitly unloaded.
To load IPFilter again, use:
/sbin/init.d/ipfboot start
To determine if the HP-UX IPFilter DLKM modules are loaded, execute either the kmadmin(1M)
command on HP-UX 11i v1 or the kcmodule (1M) command on HP-UX 11i v2 and HP-UX
11i v3. See the respective manpages for more information.
Load the rules and check again that IPFilter works. If it still does not work, reboot the system
and check /etc/rc.log and /var/adm/syslog/syslog.log for errors.
The host does not seem to be on the network and ping messages do not go through.
Check the rules you have configured using ipfstat -io. This command will display the
active inbound and outbound rules.
64 Troubleshooting HP-UX IPFilter