HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3
8.2 Creating a complete filter by interface
When you create a ruleset, you should configure rules for all directions and all interfaces. The
default state of IPFilter is to pass packets both in and out. Instead of relying on the IPFilter default
behavior, make every ruleset as specific as possible, interface by interface, until all possibilities
are explicitly covered.
For example, if you have an IPFilter system with a lan1 interface, and a lan0 interface, configure
the following rules:
pass out quick on lan1
pass in quick on lan1
block out quick on lan0 from any to 192.168.0.0/16
block out quick on lan0 from any to 172.16.0.0/12
block out quick on lan0 from any to 10.0.0.0/8
pass out quick on lan0 from 20.20.20.0/24 to any
block out quick on lan0 from any to any
block in quick on lan0 from 192.168.0.0/16 to any
block in quick on lan0 from 172.16.0.0/12 to any
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to any
block in log quick on lan0 from 20.20.20.0/24 to any
pass in all
In this example, no restrictions are on traffic in and out on lan1. IPFilter has significant restrictions
for traffic both in and out of lan0.
NOTE: When setting up your ruleset, be sure that you add rules for all appropriate directions
and interfaces.
8.3 Combining IP address and network interface filtering
If you know that your system will send and receive packets only from specific IP addresses and
interfaces, configure your IPFilter rules to only allow traffic from those addresses and interfaces.
Also, there are addresses and subnets used for specific purposes on specific interfaces. The following
examples show rulesets that block packets coming to or from addresses that should not have traffic.
For example, the IANA reserves the following address blocks for private addresses:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
In addition, the IANA reserves the 127.0.0.0/8 address block for loopback packets (packets sent
by the local system to the local system). By default, IP loopback packets are processed within the
IP module and bypass IPFilter. Therefore, it is good practice to block any inbound packets with a
loopback address as the source address
The following ruleset blocks packets from private address blocks and the loopback address block
received on lan0:
block in quick on lan0 from 192.168.0.0/16 to any
block in quick on lan0 from 172.16.0.0/12 to any
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to any
pass in all
If you have an internal network, you can allow only traffic destined for the network with source
addresses from addresses within that network. If a packet that comes from an address on the
internal network arrives on a dialup interface, it should be blocked by IPFilter.
For example, if your internal network subnet is 20.20.20.0/24, use the following rules to keep
traffic from the internal subnet from passing through on the external lan0 interface:
52 Tips for securing your system