Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
NOTE: When you load a ruleset, the new rules affect all matching packets immediately,
including packets for established connections. For example, if you load a new rule that blocks
telnet packets, IPFilter will block all telnet packets, including packets for established
telnet connections. The only exception to this behavior is for packets that match entries in
the IPFilter state table. In this case, IPFilter continues to apply the existing action (pass or block)
for these packets until the state table entry times out or is deleted (such as when the connection
is closed).
To flush all rules from your ruleset, use the ipf -Fa command:
ipf -Fa
IPFilter maintains an active ruleset and an inactive ruleset. The active ruleset is the ruleset used
for IPFilter operations, and the inactive ruleset is a supplementary, reserve ruleset.
By default, IPFilter applies the flush (-F) and file (-f) operations to the active ruleset. You can
also explicitly direct IPFilter to apply an operation to the active ruleset with the -A option. For
example:
ipf -Fa -A -f /etc/opt/ipf/ipf.conf
This command flushes the all previously configured rules (-Fa), reads the rules in the /etc/
opt/ipf/ipf.conf file (-f), and loads these rules as the active rules (-A).
To apply the ipf action to the inactive ruleset, specify the -I option. For example, the following
command flushes all rules in the inactive ruleset and adds rules from the/etc/opt/ipf/
ipf.conf file to the inactive rule set:
ipf -IFa -f /etc/opt/ipf/ipf.conf
To swap the current active ruleset with the new inactive ruleset, specify the -s option:
ipf -s
To selectively flush only the inbound rules, specify the -Fi option. For example:
ipf -Fi
To selectively flush only the outbound rules, specify the -Fo option. For example:
ipf -Fo
You can also specify the -Fi or -Fo option with a filename. This flushes the inbound or
outbound rules from the current ruleset, then reads in the rules from the specified file. For
example:
ipf -Fo -f /etc/opt/ipf/ipf.conf
3.8.1 Verifying IPv4 filter rules
You can use the following commands to verify IPv4 filter rules:
Use the ipfstat -io command to list the active inbound and outbound rules.
Use the ipf -V command to verify that IPFilter is running.
Use the ipfstat -ioh command to list the active inbound and outbound rules and the
number of hits, or matching packets, for each rule.
For more information about IPFilter utilities, see Chapter 10 (page 68).
3.8.2 Removing IPFilter rules
You can use the following command to remove rules that are listed in a file from the ruleset:
ipf -r -f delete_rule_file
3.8 Loading IPv4 filter rules 29