HP-UX IPFilter V17.
© Copyright 2001, 2010 Hewlett-Packard Development Company, L.P Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 About this Product..........................................................................................................5 1.1 Benefits and Features........................................................................................................................5 2 Fixes in this Release........................................................................................................7 3 Compatibility Information and Installation Requirements................................
List of Tables 5-1 4 HP-UX IPFilter Supported Interfaces..........................................................................................
1 About this Product HP-UX IPFilter, product number B9901AA version 17.05 is a TCP/IP packet filter suitable for use as a system firewall to protect back-end servers. The firewall functions as a security defense by cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product (developed by Darren Reed), HP does not support some of the perimeter firewall features in that release.
— — — • • • • • • • • • 6 ICMP message type and code Combination of TCP flags Interface Allows control of incoming TCP connections through DCA Supports NAT, which lets an intermediate HP-UX system act as a translator of IP addesses and network ports Sends back ICMP error/TCP reset for blocked packets Keeps packet state information for TCP, UDP, and ICMP Keeps fragment state information for any IP packet, applying the same rule to all fragments Drops all fragmented traffic if specified by rule Redirects p
2 Fixes in this Release QXCR1001042506 HP-UX IPFilter rules loading returns ENOMEM even when memory is available. QXCR1001042389 The ipf command shows slower performance when loading a big rule file with A.11.31.16 and A.11.31.17. QXCR1001042502 High memory usage when loading large number of HP-UX IPFilter rules. QXCR1001030338 ipfstat -r not working in HP-UX IPFilter A.11.xx.17 release. QXCR1000997271 ipf:fr_tcp_age panics when IPFilter Network Address Translation (NAT) functionality is used.
3 Compatibility Information and Installation Requirements 3.1 Software Requirements The system must have standard HP-UX 11i v3 core products installed.
• • 135—Neighbor solicitation 136—Neighbor advertisement 3.5 Disk Space Required for Installation This product requires 10MB of disk space.
4 Known Issues and Workarounds • The startup script for HP-UX IPFilter automatically disables the ip_forward_directed_broadcasts parameter. This keeps the system from being subjected to broadcast-storm attacks that can bring down a network.
5 Other Product Information 5.1 Supported and Unsupported Interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION: For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. HP-UX IPFilter is not tested with any third party products. Table 5-1 HP-UX IPFilter Supported Interfaces IPFilter Version Supported Interfaces A.11.xx.17.
Table 5-1 HP-UX IPFilter Supported Interfaces (continued) IPFilter Version Supported Interfaces Open source versions: • • • • • • • • Ethernet (10Base-T) Fast Ethernet (100Base-T) Gigabit Ethernet (1000Base-T) APA VLAN FDDI Token Ring InfiniBand (supported on HP-UX 11i v2 only) • • • • • • • Ethernet (10Base-T) Fast Ethernet (100Base-T) Gigabit Ethernet (1000Base-T) APA VLAN FDDI Token Ring A.03.05.14 (HP-UX 11i v1 and HP-UX 11i v2) A.03.05.13 (HP-UX 11i v3) A.03.05.12 A.03.05.11.01 A.03.05.10 A.03.
5.2.1 Features Not Supported with IPv6 The following features are not supported with IPv6: • • • • • • Dynamic Connection Allocation (DCA) (the configuration of the IPv6 keep limit rules is not allowed.) IPFilter NAT functionality and the associated commands and utilities The ipftest utility RPC scripts IPFilter group rules Address pools 5.
6 Support and Other Resources 6.1 Contacting HP 6.1.1 Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level 6.1.
• Instant Information documentation CD For information about HP-UX Bastille, see the HP-UX Bastille Version A3.3 User Guide at: http://www.hp.com/go/hpux-security-docs 6.3 Typographic conventions This document uses the following typographical conventions: %, $, or # A percent sign represents the C shell system prompt. A dollar sign represents the system prompt for the Bourne, Korn, and POSIX shells. A number sign represents the superuser prompt. audit(5) A manpage.
