Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
4 Configuring and loading IPv6 filter rules
4.1 IPv6 filter rules configuration file
HP-UX IPFilter maintains IPv4 and IPv6 rules as separate rule sets. You cannot configure IPv6 filter
rules in the same file with IPv4 filter rules, and you must administer IPv4 and IPv6 rule sets separately.
The rule set (IPv4 or IPv6) for a rule is determined by the command-line options and file used to
load the rule. These options are described in Section 4.4 (page 33).
The default name for the HP-UX IPFilter IPv6 filter rules file is /etc/opt/ipf/ipf6.conf. To
specify an alternate IPv6 filter rules file name, set the IPF6_CONF parameter in the IPFilter startup
file, /etc/rc.config.d/ipfconf.
Any given rule will apply to either IPv4 or IPv6 according to the file and command options used
to load the rule, but will not apply to both IPv4 and IPv6. This includes rules with wildcard addresses.
4.2 Features not supported with IPv6
The following features are not supported with IPv6:
IPFilter NAT functionality and the associated commands and utilities.
Dynamic Connection Allocation (DCA) on HP-UX 11i v1 systems. DCA is not supported with
IPv6 addresses on HP-UX 11i v1 systems, but is supported on HP-UX 11i v2 and HP-UX 11i
v3 systems.
The scripts and files used to generate and load IPFilter rules for Remote Procedure Call (RPC)
ports, including /etc/opt/ipf/rpc.ipf.
The ipftest utility
IPFilter group rules
Address pools
4.3 IPv6 filter rule syntax differences
The syntax for IPv6 filter rules is the same as the syntax for IPv4 rules, with the differences and
enhancements described in the following sections.
Other filter rule features and syntax rules, such as TCP flags, stateful filtering for TCP and UDP,
redirecting packets to other interfaces, and rule groups, are the same for IPv6 and IPv4.
4.3.1 Specifying addresses
Specify IPv6 addresses in colon-hexadecimal notation. You can use two colons (::)once in an
address to indicate a series of 0s. For example, use the following rule to block an inbound telnet
connection:
block in proto tcp from 2001:db8::1 to 2001:db8::2 port = 23
You can specify the all and any keywords in IPv6 rules. For example, you can create the following
rule for IPv6 packets:
block in from any to any
Although the previous rule is valid for both IPv4 and IPv6 packets, IPFilter will apply this rule to
IPv6 packets if you add it to the IPv6 filter configuration file and load it using the IPv6 (-6) option
with the ipf command, as described in Section 4.4 (page 33).
Rules cannot contain both IPv4 and IPv6 addresses. For example, the following rule is not valid:
pass in proto tcp from 10.1.1.1 to 2001:db8::2
4.1 IPv6 filter rules configuration file 31