Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
51525354555657585960
8 Tips for securing your system
8.1 Blocking services by port number and protocol
To create a ruleset that explicitly passes packets for a specific service or services, but blocks all
other traffic:
1. Configure pass rules with the quick keyword to allow packets for specific services by port
number and protocol.
2. At the end of the ruleset, configure a rule to block all traffic (block in all).
NOTE: You must use the quick keyword in the pass rules so that IPFilter will stop processing
rules after it has found a rule that matches a packet. Specifying the quick rule enables you to
configure most specific rules first, then less specific rules.
8.1.1 Example: firewall on a web server
For example, to create a firewall on a Web server that will accept connections on TCP port 80
only, configure the following ruleset:
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port = 80
block in all
This system will pass in port 80 traffic for 20.20.20.1 and deny all other traffic. This ruleset provides
a basic firewall.
8.1.2 Example: firewall for multiple services
To configure IPFilter for effective security, use several techniques and building blocks together.
For example, you can configure rules to allow rsh, rlogin, and telnet to run only on your
internal network. Your internal network subnet is 20.20.20.0/24. All three services use specific
TCP ports (513, 514, and 23). Configure the following rules in the order shown:
pass in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 513
pass in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 514
pass in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 23
block in all
Be sure the rules for the services are placed before the block in all rule to block access to
them from systems outside your network.
To block UDP instead of TCP, replace proto tcp with proto udp. For example, you can block
messages for syslog (UDP port 514) with the following rule:
block in log quick on lan0 proto udp from any to 20.20.20.0/24 port = 514
Several services allow you to block by port number for security:
syslog on UDP port 514.
portmap on TCP port 111 and UDP port 111. You can specify proto tcp/udp with
port=111.
lpd on TCP port 515.
NFS on TCP port 2049 and UDP port 2049. You can also configure NFS to use static (fixed)
port numbers for the NFS statd, mountd, and lockd services, as described in Section 13.2
(page 82)
X11 on TCP port 6000.
To get a complete listing of ports being listed on, use netstat -a, or check /etc/services.
8.1 Blocking services by port number and protocol 51