HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3
15 HP-UX IPFilter and Serviceguard
15.1 Using HP-UX IPFilter with Serviceguard
HP-UX IPFilter supports local failover in a Serviceguard environment.
CAUTION: NAT functionality is not supported with Serviceguard.
15.1.1 Enabling or disabling IPFilter
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX IPFilter
when critical network applications are running.
Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up only the IP
interfaces configured in the /etc/rc.config.d/netconf and /etc/rc.config.d/
netconf-ipv6 files. IP addresses not configured in the netconf or netconf-ipv6 file, such
as Serviceguard relocatable IP addresses, are not re-enabled.
Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a system has
several IP interfaces or there is heavy network traffic, the time required to re-establish network
connectivity might be interpreted as a network or card failure. For example, Serviceguard might
interpret a network interruption as a card failure, which can cause it to reform the cluster.
15.1.2 Local failover
NOTE: See the Serviceguard documentation for information on configuring a local failover system
in Serviceguard.
IPFilter local failover is transparent to users. Network sessions are not disrupted during failover or
failback.
You do not need to configure any additional rules in IPFilter. When an interface fails over, the
HP-UX IPFilter rules that specify interface names are automatically changed.
For example, a node in a Serviceguard cluster has a primary interface named lan0 and a standby
interface named lan1. The following rule is configured for lan0:
pass in on lan0 proto tcp from any to any port = telnet
Upon failover, the rule is automatically modified to:
pass in on lan1 proto tcp from any to any port = telnet
The rule will be changed back automatically on failback.
All rules that filter on interface names are changed at failover and failback in both the active ruleset
and the inactive ruleset. In addition, logging reflects the changes; the standby interface name will
appear in logs and reports when it is in use.
15.1.3 Remote failover
HP-UX IPFilter is a system firewall and as such should be installed on end systems. Connections to
an IPFilter system that are lost during a remote failover must be reinitiated.
Install and configure HP-UX IPFilter on each node of a Serviceguard cluster that must be protected.
The IPFilter configuration for the primary node might be different from the configuration for the
backup nodes.
For example, the backup node might be multihomed and require a different ruleset. Also, rules
could be configured to filter on the static IP address of the receiving node that would be different
15.1 Using HP-UX IPFilter with Serviceguard 87