Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
61626364656667686970
NOTE: If you are using /etc/opt/ipf/ipf.conf as your rules file, then IPFilter will load
it at boot time. The IPFilter startup script /sbin/init.d/ipfboot:
Loads the IPFilter module.
Starts the logging daemon, ipmon.
Loads any uncommented rules in the /etc/opt/ipf/ipf.conf file.
Loads any uncommented rules in the /etc/opt/ipf/ipf6.conf if IPv6 is enabled
on the system.
If your rules file blocks packets for network services that last effective rule amounts to “block
in all,” the boot sequence might not complete, for example, when sendmail, SNMP, and NIS
are configured on the system.
Nothing is logged.
Verify the following:
ipf -V should show the logging file as available.
ps -ef|grep ipmonto verify if ipmon is running. During bootup, ipmon is started. If it is
not running, start it by using:
ipmon -s D
The -s option specifies that the log records go to /var/adm/syslog/syslog.log and
the -D option directs ipmon to run as a daemon in the background.
Errors occur when loading rules.
# ipf -f rule_file
ioctl (add/insert rule); File Exists
This occurs when you try to add a rule that is already loaded. Use the following command to
load rules:
ipf -Fa -f rulefile
The -Fa option will flush any previous rules present and all rules will be reloaded.
In addition, you can use ipftest to test a set of filter rules without having to put them in
place. See the ipftest(1) manpage for more information on this tool.
IPFilter rules changed after using Bastille/Install-Time-Security level.
If you configure an IPFilter ruleset-using Install-Time-Security level, or use HP-UX Bastille
interactively to reconfigure IPFilter rules, existing rules will be overwritten. This will change
IPFilter behavior.
To reinsert your rules into the Bastille-setup firewall rules, edit /etc/opt/sec_mgmt/
bastille/ipf.customrules, and run bastille -b -f config file . Alternatively,
to remove all of the security hardening performed by Bastille, including the firewall
configuration, run bastille -r. For more information, see the Bastille documentation.
9.5 Reporting problems
Include the following information when reporting problems:
A complete description of the problem and any error messages. Include information about:
the local system (IP addresses)
IP addresses of relevant remote systems
IP interface information (netstat -i output) if appropriate
routing table information (netstat -rn output) if appropriate
66 Troubleshooting HP-UX IPFilter