Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
3.2.1 Specifying the filter action: pass and block
The first keyword in an IPFilter rule specifies the action, and is usually pass or block. The keyword
pass allows packets to pass in or out of IPFilter, and the keyword block blocks or drops packets.
3.2.2 Specifying the filter direction: in and out
The in and out keywords specify whether the rule applies to inbound or outbound packets.
Inbound traffic is traffic that enters the IPFilter system. Outbound traffic is traffic the system transmits,
whether generated by the local system or forwarded by the system.
For example, the following rule uses the keyword pass and the IP selector all to allow incoming
packets from all IP addresses:
pass in all
The following rule drops outgoing packets to all IP addresses:
block out all
NOTE: If you do not specify any outbound rules, the default is pass out all. If you do not
specify any inbound rules, the default is pass in all.
3.2.3 Specifying the upper layer protocol: proto
IPFilter can filter traffic based on the upper layer protocol, such as TCP or ICMP, using the proto
keyword:
proto tcp|udp|tcp/udp|icmp|protocol_number
The tcp/udp option specifies both TCP and UDP, and is useful for applications that use both the
TCP and UDP protocol, such as portmap and NFS. For example, you can configure the following
rule to block inbound TCP and UDP portmap packets:
block in proto tcp/udp from any to 20.20.20.0/24 port = 111
The value for protocol_number can be any valid decimal number for an upper layer protocol
(0 - 255).
3.2.4 Specifying IP addresses and subnets: from and to
IPFilter can pass or block packets based on both source and destination IP addresses. The addresses
can be individual node addresses, subnet addresses, or address ranges. The format for specifying
IP addresses is as follows:
from ip_address[/prefix]|any to ip_address[/prefix]|any
where:
ip_address is the source or destination IPv4 address in decimal-dot notation. The IPv4 address
can also be a decimal value, or a hexadecimal value with the prefix 0x.
prefix is the decimal subnet prefix length. It can also be a network bitmask specified in
dotted-decimal notation.
any specifies any IP address.
To specify an address range, enter the start address and end address, separated by a dash (-).
To specify packets that do not match an address, insert an exclamation point (!) in front of the
address.
You can also specify an individual host name instead of an IP address, but you cannot use an
exclamation point or range specification with host names.
3.2.4.1 Examples
The following rule blocks all inbound packets from the 10.10.10.0 subnet to any IP address:
3.2 Basic rule syntax: specifying the action, direction, protocol, IP addresses, and ports 17