HP-UX IPFilter V18.10 Release Notes HP-UX 11i v3 Abstract This document provides information about new and changed features for HP-UX IPFilter V18.10. This document is intended for anyone who installs and uses HP-UX IPFilter. The information in this document assumes that you have experience with administering an HP-UX operating system.
© Copyright 2012 Hewlett-Packard Development Company, L.P Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents 1 About this product......................................................................................4 Benefits and features.................................................................................................................4 2 Enhancements in this release........................................................................6 3 Fixes in this release.....................................................................................
1 About this product HP-UX IPFilter, product number B9901AA V18.10 is a TCP/IP packet filter suitable for use as a system firewall to protect back-end servers. The firewall functions as a security defense by cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product (developed by Darren Reed), HP does not support some of the perimeter firewall features in that release.
• Sends back ICMP error/TCP reset for blocked packets • Keeps packet state information for TCP, UDP, and ICMP • Keeps fragment state information for any IP packet, applying the same rule to all fragments • Drops all fragmented traffic if specified by rule • Redirects packets for forensic analysis if specified by rule • Creates extensive logs when required • Supports IPv6 • Supports IPv4 address pools Benefits and features 5
2 Enhancements in this release • Improved performance • Updated ippool(4) manpage with more information and examples • Updated ipfstat(1) manpage with more information about new options • Support for the IPFilter accounting feature: You can count the number of outgoing and incoming packets by adding accounting rules to ipf.conf. This functionality can also be enabled for a LAN interface. For example, to count all the incoming and outgoing packets, add the following rule in ipf.
3 Fixes in this release QXCR1001094728 IPFilter 'pps' option doesn't work correctly with 'keep state' option QXCR1001102470 wrong rule number displayed when rules are entered from STDIN instead of file QXCR1001105626 ipfstat -B returns "option requires an argument" error QXCR1001139934 IPFilter can not show better throughput on 11.31 than 11.23 QXCR1001163480 IPFilter panic in ip_natout() QXCR1001167842 IPFilter A.11.31.
4 Compatibility information and installation requirements Software requirements The system must have standard HP-UX 11i v3 core products installed.
• 135—Neighbor solicitation • 136—Neighbor advertisement Disk space required for installation This product requires 10MB of disk space.
5 Issues and solutions • Using the pps option with keep state The rate base filtering option pps is only applied to the first occurrence of the packet for which state gets stored. That is, after a state entry is added into the state table, rate based filtering does not apply. For example: pass in quick proto tcp from any to 10.2.2.2/32 port = 80 flags S keep state pps 10 In the above example, rate based filtering is applied on the incoming connection (SYN packet) only.
#ippool -f ippool.
6 Other product information Supported and unsupported interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION: For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. HP-UX IPFilter is not tested with any third party products.
Table 1 HP-UX IPFilter supported interfaces IPFilter version Supported interfaces • Ethernet (10Base-T) • Fast Ethernet (100Base-T) • Gigabit Ethernet (1000Base-T) A.11.31.18.0 A.11.31.18.10 • 10 Gigabit Ethernet • APA • VLAN • FDDI • Token Ring • X.25 (supported on HP-UX 11i v3 only) • Ethernet (10Base-T) • Fast Ethernet (100Base-T) • Gigabit Ethernet (1000Base-T) • 10 Gigabit Ethernet A.11.xx.17.xx • APA • VLAN • FDDI • Token Ring • InfiniBand (supported on HP-UX 11i v2 only) • X.
Table 1 HP-UX IPFilter supported interfaces (continued) IPFilter version Supported interfaces A.03.05.11.01 • VLAN A.03.05.10 • FDDI A.03.05.10.02 • Token Ring A.03.05.10.04 A.03.05.06.v2 • InfiniBand (supported on HP-UX 11i v2 only) • Ethernet (10Base-T) Open source versions: • Fast Ethernet (100Base-T) A.03.05.09 • Gigabit Ethernet (1000Base-T) A.03.05.08 • APA A.03.05.07 • VLAN A.03.05.
• The fr_limitmax tunable has been deprecated and no longer used to control the number of limit entries that can be created on the system. • The ipfstat command does not support authorization statistics. Features not supported with IPv6 The following features are not supported with IPv6: • Dynamic Connection Allocation (DCA) (the configuration of the IPv6 keep limit rules is not allowed.
7 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authorized reseller, see the Contact HP worldwide (in Engl
HP-UX IPFilter V18.10 for HP-UX 11i v3 is a bug fix only release on top of HP-UX IPFilter V18.0. See the following related document for HP-UX IPFilter V18.0 on HP-UX 11iv3: • HP-UX IPFilter Version 18.0 Administrator Guide (5900–1572) For information about HP-UX Bastille, see the HP-UX Bastille Version A3.3 User Guide at: http://www.hp.
