HP-UX IPFilter V18.0 Release Notes HP-UX 11i v3 Abstract This document provides information about new and changed features for HP-UX IPFilter V18.0. This document is intended for anyone who installs and uses HP-UX IPFilter. The information in this document assumes that you have experience with administering an HP-UX operating system.
© Copyright 2011 Hewlett-Packard Development Company, L.P Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents 1 About this Product......................................................................................4 1.1 Benefits and Features...........................................................................................................4 2 Fixes in this Release....................................................................................6 3 Compatibility Information and Installation Requirements...................................7 3.1 Software Requirements................................
1 About this Product HP-UX IPFilter, product number B9901AA V18.0 is a TCP/IP packet filter suitable for use as a system firewall to protect back-end servers. The firewall functions as a security defense by cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product (developed by Darren Reed), HP does not support some of the perimeter firewall features in that release.
• Supports NAT, which lets an intermediate HP-UX system act as a translator of IP addresses and network ports • Sends back ICMP error/TCP reset for blocked packets • Keeps packet state information for TCP, UDP, and ICMP • Keeps fragment state information for any IP packet, applying the same rule to all fragments • Drops all fragmented traffic if specified by rule • Redirects packets for forensic analysis if specified by rule • Creates extensive logs when required • Supports IPv6 • Supports
2 Fixes in this Release 6 QXCR1001022401 ipfstat -a functionality is not working on 11i v3. QXCR1001050587 ippool -a returns "no IP address given with -i". QXCR1001050591 man 4 ippool specifies /etc/ippool.conf which is not delivered with the product. QXCR1001050594 ippool -u option is not described in ippool man page. QXCR1001051272 The -ed option in ipfilter man page is incorrect and should be -di. QXCR1001051274 Request to get a man page for l4check IPFilter command.
3 Compatibility Information and Installation Requirements 3.1 Software Requirements The system must have standard HP-UX 11i v3 core products installed.
• 136—Neighbor advertisement 3.5 Disk Space Required for Installation This product requires 10MB of disk space.
4 Known Issues and Workarounds • The startup script for HP-UX IPFilter automatically disables the ip_forward_directed_broadcasts parameter. This keeps the system from being subjected to broadcast-storm attacks that can bring down a network. • If rules are configured using stdin, rules numbers are not assigned properly to individual rules. Sample output displaying the problem: # ipf -fpass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32 pass in on lan1 from 15.154.118.192/32 to 16.181.168.
5 Other Product Information 5.1 Supported and Unsupported Interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION: For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. HP-UX IPFilter is not tested with any third party products.
Table 1 HP-UX IPFilter Supported Interfaces (continued) IPFilter Version Supported Interfaces • Ethernet (10Base-T) • Fast Ethernet (100Base-T) • Gigabit Ethernet (1000Base-T) • APA A.11.xx.15.01 • VLAN • FDDI • Token Ring • InfiniBand (supported on HP-UX 11i v2 only) • X.25 (supported on HP-UX 11i v3 only) Open source versions: • Ethernet (10Base-T) A.03.05.14 (HP-UX 11i v1 and HP-UX 11i v2) • Fast Ethernet (100Base-T) A.03.05.13 (HP-UX 11i v3) • Gigabit Ethernet (1000Base-T) A.03.05.
◦ ipsyncs ◦ ipsyncm ◦ ipfs ◦ ipsend ◦ ipresend ◦ mkfilters ◦ auth ◦ preauth • Application proxy • The fr_limitmax tunable has been deprecated and no longer used to control the number of limit entries that can be created on the system. • The ipfstat command does not support accounting and authorization statistics. 5.2.
6 Support and Other Resources 6.1 Contacting HP 6.1.1 Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level 6.1.
HP-UX IPFilter V18.0 for HP-UX 11i v3 is a bug fix only release on top of HP-UX IPFilter V17.05. See the following related documents for HP-UX IPFilter V17.05 on HP-UX 11i v3: • HP-UX IPFilter Version 17.05 Administrator’s Guide (5900–1475) • HP-UX IPFilter Version 17.05 Release Notes (5900–1036) For information about HP-UX Bastille, see the HP-UX Bastille Version A3.3 User Guide at: http://www.hp.com/go/hpux-security-docs 6.
