HP-UX IPFilter V17.05 Release Notes HP-UX 11i v2 Abstract This document describes hardware and software requirements for HP-UX IPFilter. This document is intended for system administrators who plan to install and use HP-UX IPFilter. It is helpful to have previous experience with an HP-UX operating system.
© Copyright 2001, 2011 Hewlett-Packard Development Company, L.P Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents 1 About this Product......................................................................................4 1.1 Benefits and Features...........................................................................................................4 2 Fixes in this Release....................................................................................6 3 Compatibility Information and Installation Requirements...................................7 3.1 Software Requirements................................
1 About this Product HP-UX IPFilter, product number B9901AA V17.05 is a TCP/IP packet filter suitable for use as a system firewall to protect back-end servers. The firewall functions as a security defense by cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product (developed by Darren Reed), HP does not support some of the perimeter firewall features in that release.
• Sends back ICMP error/TCP reset for blocked packets • Keeps packet state information for TCP, UDP, and ICMP • Keeps fragment state information for any IP packet, applying the same rule to all fragments • Drops all fragmented traffic if specified by rule • Redirects packets for forensic analysis if specified by rule • Creates extensive logs when required • Supports IPv6 1.
2 Fixes in this Release 6 QXCR1001042506 HP-UX IPFilter rules loading returns ENOMEM even when memory is available. QXCR1001042389 The ipf command shows slower performance when loading a big rule file. QXCR1001042502 High memory usage when loading large number of HP-UX IPFilter rules. QXCR1000997271 ipf:fr_tcp_age panics when IPFilter Network Address Translation (NAT) functionality is used. QXCR1001004970 Memory leak in ALLOCB_MBLK_XX arena in pfilstrmodwput() while copyb() is failing.
3 Compatibility Information and Installation Requirements 3.1 Software Requirements The system must have standard HP-UX 11i v2 core products installed. If you are using HP-UX IPFilter IPv6 functionality on 11i v2, you must install the latest Transport GR patch. NOTE: No patches are required for HP-UX 11i v2. However, HP recommends that you install the HP-UX 11i v2 December 2006 update.
4 Known Issues and Workarounds • The startup script for HP-UX IPFilter automatically disables the ip_forward_directed_broadcasts parameter. This keeps the system from being subjected to broadcast-storm attacks that can bring down a network. • If rules are configured using stdin, rules numbers are not assigned properly to individual rules. Sample output displaying the problem: # ipf -fpass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32 pass in on lan1 from 15.154.118.192/32 to 16.181.168.
5 Other Product Information 5.1 Supported and Unsupported Interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION: For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. HP-UX IPFilter is not tested with any third party products.
Table 1 HP-UX IPFilter Supported Interfaces (continued) IPFilter Version Supported Interfaces Open source versions: • Ethernet (10Base-T) A.03.05.14 (HP-UX 11i v1 and HP-UX 11i v2) • Fast Ethernet (100Base-T) A.03.05.13 (HP-UX 11i v3) • Gigabit Ethernet (1000Base-T) A.03.05.12 • APA A.03.05.11.01 • VLAN A.03.05.10 A.03.05.10.02 A.03.05.10.04 A.03.05.06.
• Application proxy • The fr_limitmax tunable has been deprecated and no longer used to control the number of limit entries that can be created on the system. 5.2.1 Features Not Supported with IPv6 The following features are not supported with IPv6: • Dynamic Connection Allocation (DCA) (the configuration of the IPv6 keep limit rules is not allowed.) • IPFilter NAT functionality and the associated commands and utilities • The ipftest utility • RPC scripts • IPFilter group rules 5.
6 Support and Other Resources 6.1 Contacting HP 6.1.1 Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level 6.1.
• Instant Information documentation CD HP-UX IPFilter V17.05 for HP-UX 11i v2 is a bug fix only release on top of HP-UX IPFilter V17. See the following related documents for HP-UX IPFilter V17 on HP-UX 11iv2: • HP-UX IPFilter Version 17.05 Administrator’s Guide (5900–1475) • HP-UX IPFilter Version 17 Release Notes (5900–0396A) For information about HP-UX Bastille, see the HP-UX Bastille Version A3.3 User Guide at: http://www.hp.com/go/hpux-security-docs 6.
