HP-UX IPFilter V18.21 Administrator Guide HP-UX 11i v3 Abstract This document describes how to install, configure, and troubleshoot HP-UX IPFilter V18.21. This document is intended for network managers or network security administrators who install, configure, and troubleshoot HP-UX IPFilter on HP 9000 systems. Administrators are expected to have knowledge of HP-UX operating system concepts, commands, and configuration.
© Copyright 2014 Hewlett-Packard Development Company, L.P Legal notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents HP secure development lifecycle....................................................................10 1 Overview................................................................................................11 Benefits and features...............................................................................................................11 Supported and unsupported features.........................................................................................12 2 Installing HP-UX IPFilter...
ICMP error status messages.......................................................................................25 State aging.......................................................................................................................25 Rule examples...............................................................................................................26 Handling IP fragments: keep frags........................................................................................
Enabling and disabling DCA using ipf..................................................................................41 Configuring IPFilter to enable DCA at system startup...............................................................42 Using IPFilter utilities with DCA.................................................................................................42 keep limit rules and rule hits................................................................................................
Options............................................................................................................................60 Examples..........................................................................................................................61 Testing rules with ipftest...........................................................................................................64 Syntax.......................................................................................................
Configuring ipf_icmp6_passthru on HP-UX 11i v2 and HP-UX 11i v3.....................................83 Configuring ipf_icmp6_passthru on HP-UX 11i v1..............................................................83 12 HP-UX IPFilter and FTP.............................................................................84 FTP basics.............................................................................................................................84 WU-FTPD on HP-UX......................................
Supported utilities.................................................................................................................102 Unsupported utilities..............................................................................................................103 Supported and unsupported interfaces....................................................................................103 B HP-UX IPFilter configuration examples........................................................106 BASIC_1.FW.......
Performance monitoring.........................................................................................................127 Index.......................................................................................................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 Overview HP-UX IPFilter, product number B9901AA V18.21, is a TCP/IP packet filter suitable for use as a system firewall. The version string is A.11.31.18.21 for HP-UX 11i v3. HP-UX IPFilter functions as a firewall by examining and limiting packets allowed in and out of an HP-UX system, which can be either an end node or an IP router. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.
◦ TCP ports and port ranges ◦ UDP ports and port ranges ◦ ICMP message type and code ◦ Combination of TCP flags ◦ Network interface • Control of incoming TCP connections through Dynamic Connection Allocation (DCA) • Support for NAT, which enables an intermediate HP-UX system to act as a translator of IP addresses and network ports • Return of ICMP error/TCP reset messages for blocked packets • Maintenance of packet state information for TCP, UDP, and ICMP • Maintenance of fragment state i
2 Installing HP-UX IPFilter Overview of HP-UX IPFilter installation The following section summarizes each step in the HP-UX IPFilter installation process. Installation and configuration checklist Complete the following steps to install HP-UX IPFilter. 1. Verify that your system meets the prerequisites. For detailed information, see Section (page 13). 2. Install HP-UX IPFilter using swinstall. For detailed information, see Section (page 13). 3.
IMPORTANT: Disabling or enabling IPFilter brings down all IP interfaces, and then brings up only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/ rc.config.d/netconf-ipv6 files. IP addresses not configured in the netconf or netconf-ipv6 file, such as Serviceguard relocatable IP addresses, are not re-enabled. IMPORTANT: Enabling or disabling IPFilter causes the system to briefly lose network connectivity.
Filtering: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 1 2. Verify HP-UX IPFilter is correctly loaded. On HP-UX 11i v2 and HP-UX 11i v3: # kcmodule -v -q pfil # kcmodule -v -q ipf Verify that the state is loaded. Step 4: (Optional) Modifying kernel tunable parameters HP-UX IPFilter supports kernel tunable parameters that affect IPFilter logging behavior and the IPFilter state table. For information about modifying the parameters, see Appendix C (page 117).
3 Configuring and loading IPv4 filter rules IPv4 filter rules configuration file The default HP-UX IPFilter IPv4 filter rules file is /etc/opt/ipf/ipf.conf. To specify an alternate IPv4 filter rules file name, set the IPF_CONF parameter in the IPFilter startup file, /etc/ rc.config.d/ipfconf. When HP-UX IPFilter is first installed, the /etc/opt/ipf/ipf.conf rules file is empty. Appendix B (page 106) contains example rules files you can use to create your ruleset.
Specifying the filter action: pass and block The first keyword in an IPFilter rule specifies the action, and is usually pass or block. The keyword pass allows packets to pass in or out of IPFilter, and the keyword block blocks or drops packets. Specifying the filter direction: in and out The in and out keywords specify whether the rule applies to inbound or outbound packets. Inbound traffic is traffic that enters the IPFilter system.
The following rule blocks all inbound packets from the addresses 10.10.10.1, 10.10.10.2, and 10.10.10.3 to any IP address: block in from 10.10.10.1-10.10.10.3 to any The following rule blocks all inbound packets with the destination address 192.168.2.1: block in from any to 192.168.2.1 The following rule blocks all inbound packets that do not have the destination address 10.1.1.1: block in from any to !10.1.1.
Processing options: logging packets, optimizing rule processing, and specifying interfaces IPFilter supports options to perform the following processing options: • Log packet information (log) • If the filter matches the packet, immediately apply the rule action and stop searching for rules (quick) • Apply the rule only to the specified interface (on) Option order If you specify processing options, you must insert them after the in or out keyword: block|pass in|out [processing_options] [proto protocol
Filtering by network interfaces: on The on keyword directs IPFilter to apply a rule to the specified network interface only. The syntax is for specifying the on keyword is as follows: on interface_name where: interface_name is a physical network interface name, such as lan0. NOTE: The interface_name must be a physical interface name such as lan0. It cannot be a logical interface name, such as lan0:1.
1. 2. 3. 4. 5. 6. flags with opt and with ipopt with frag and with short icmp-type and code keep state keep frags In the following example, the user specifies the flags option and the keep option in order: pass in quick proto tcp from any to 10.1.1.1 flags S keep state Specifying TCP header flags: flags Use the flags option to filter traffic by flags (control bits) in the TCP header. To specify the flags option, you must also specify proto tcp.
lsrr (Loose Source Route, or Loose Source Record Route) mtup (MTU Probe - decremented) mtur (MTU Response - decremented) nop (No Operation) rr (Record Route) satid (Stream ID) sec (Security) ssrr (Strict Source Route, or Strict Source Record Route) tr (Traceroute) ts (Time Stamp) visa (Access Control - experimental) zsu (Measurement - experimental) The IANA list of assigned IP option numbers specifies the numeric values for the IP options and lists the documents that define these options.
are also useful when you want to block traffic from blocks of addresses but want to allow in ICMP packets required for normal network operation. For more information, see Chapter 11 (page 78). Protecting TCP, UDP, and ICMP sessions: keep state Use keep state to select individual TCP, UDP, and ICMP sessions that exchange multiple packets. This option enables you to use a rule to select the first packet in a session and then apply the same rule for all other packets in the session.
also allows subsequent TCP packets for these connections to pass. These rules allow only the following packets: • Outbound TCP connection requests (TCP SYN flag set and no other flags set) for telnet (port 23) • The packets used to finish establishing the TCP connections for the outbound telnet requests • Inbound and outbound packets for the established telnet connections pass out quick proto tcp from 10.1.1.
State entry is added for incoming UDP connections. State entry is deleted from state table if any one of following conditions is met: • UDP reply matches to the state entry created as part of corresponding UDP request • UDP entry has been idle for default timeout period • If age option has been specified as part of keep state rule and UDP entry has been idle for the timeout period defined as part of age option. For more information on the age option, see Section Page 25.
You can override the TCP default value when the connection is closed by using the fr_tcptimewait tunable or by using the age option on a per-rule basis. The value specified in the rule gets priority over the tunable value set at system level. The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout. NOTE: This option is available only on HP-UX 11i v3.
To use the return-rst keyword in a rule that blocks inbound packets, insert the return-rst keyword after the block keyword. For example, the following rule blocks inbound telnet requests and generates a TCP RST packet: block return-rst in quick on lan0 proto tcp from any to 10.10.10.0/24 port = 23 When you configure a return-rst rule, HP recommends that you also configure a rule that explicitly allows the outbound RST packet to pass. For example: block return-rst in quick on lan0 proto tcp from any to 10.
pass in on lan0 all group 1 pass out on lan0 all block out quick on lan1 all head pass out quick on lan1 proto tcp pass out quick on lan1 proto tcp pass out quick on lan1 proto tcp pass out quick on lan1 proto tcp pass out quick on lan1 proto udp pass out quick on lan1 proto tcp pass out quick on lan1 proto udp 10 from from from from from from from any any any any any any any to to to to to to to 20.20.20.64/26 20.20.20.64/26 20.20.20.64/26 20.20.20.65/32 20.20.20.65/32 20.20.20.66/32 20.20.20.
• IPFilter maintains an active ruleset and an inactive ruleset. The active ruleset is the ruleset used for IPFilter operations, and the inactive ruleset is a supplementary, reserve ruleset. By default, IPFilter applies the flush (-F) and file (-f) operations to the active ruleset. You can also explicitly direct IPFilter to apply an operation to the active ruleset with the -A option. For example: ipf -Fa -A -f /etc/opt/ipf/ipf.
NAT tags This tag creates implied join between IPF rules and NAT rules. NAT tags are used in both IPF rules and NAT rules. There are two kinds of NAT rules; map and rdr. The map rules are processed in OUT path and runs source address translation. The rdr rules are processed when packets enter the system and runs destination address translation. Use nat-tag in the rdr rule corresponding to the IPF rule in IN path. Use nat-tag in the map rule corresponding to the IPF rule in OUT path.
4 Configuring and loading IPv6 filter rules IPv6 filter rules configuration file HP-UX IPFilter maintains IPv4 and IPv6 rules as separate rule sets. You cannot configure IPv6 filter rules in the same file with IPv4 filter rules, and you must administer IPv4 and IPv6 rule sets separately. The rule set (IPv4 or IPv6) for a rule is determined by the command-line options and file used to load the rule. These options are described in Section (page 33).
Filtering ICMPv6 packets To filter ICMPv6 messages by type and code, specify proto icmpv6 (or proto ipv6–icmp) and use the keywords icmpv6-type and code. For more information, see Section (page 82). Stateful ICMPv6 IPFilter can retain state information for ICMPv6 Request-Response messages. The only supported message types are Echo Request and Echo Reply. IPv6 extension headers You can block or pass packets according to IPv6 extension headers.
block in proto 41 from any to any • 4-in-6 Use the following rule to filter 4-in-6 tunnel packets: block in proto ip from any to any Filtering IPv6 fragments You can filter IPv6 fragments by specifying the v6hdrs frags keywords. Use the following rule to filter IPv6 fragmented traffic: block in proto udp from any to any with v6hdrs frags Unlike IPv4, IPFilter does not maintain a fragment cache for IPv6 fragments.
5 Configuring and loading dynamic connection allocation (DCA) rules DCA with HP-UX IPFilter An HP-UX IPFilter system can act as a secure intermediary, tracking all incoming TCP connections to a system or network. DCA lets you limit incoming TCP connections passing through an IPFilter system. You can use DCA to limit the number of inbound connections based on the source IP address and optionally, the destination TCP port number.
DCA rule syntax and keywords The basic DCA syntax is as follows: pass in quick proto tcp from source_ip|any to dest_ip|any [port = port_num] keep limit limit_num The keep limit keywords indicate that this is a DCA rule.
Limiting connections by subnet The following rule is an example of a DCA rule that limits connections by IP subnet: pass in quick proto tcp from 192.168.5.0/24 to any port = 25 keep limit 4 This rule limits the maximum concurrent TCP connections to four from any individual host in subnet 192.168.5.0/24 to port 25 of any host.
cumulative rules) basis. The current value of the "connection exceeded counter" can be identified by ipfstat -Lv command. Example 1: pass return-rst in log limit quick proto tcp from host1-hostn to Server port = 23 keep limit 10 For the above rule, if 12 concurrent Telnet connections are done from to , the 11th and 12th connections are blocked. If 13 concurrent Telnet connections are done from to the 11th, 12th, and 13th connections are blocked.
reset to zero. The “connection exceeded counter" can increase once again, when a new set of 11 or more Telnet connections are made from any individual host. You can also reset “the connection exceeded counter" to zero using the ipmon –r command.
In the example summary log, the 192.13.15.97 is the source IP, 192.13.15.98 is the destination IP, 23 is the port. Type 6 indicates that limit rule is a non-cumulative rule applied on a subnet. (Type 2 and Type 8 can also appear in the logs, which indicates a non-cumulative limit rule applied on individual IP address or "any"). The Configured 1 indicates that the rule limit configured is 1.
1. Enter the following command to add or modify rules in an inactive rules file: ipf [-6] -If rules file 2. Run the following command to switch the active rules file with the inactive rules file you modified: ipf [-6] -s When you modify an inactive rules file, then switch it with an active rules file, DCA processes new connections according to the new rules file whether or not there are existing connection limit entries in the limit table.
IPFilter recognizes the new rule as an update to an existing rule. IPFilter uses the new connection limit instead of the old connection limit. Limit entries made by the old rule are updated when a new connection is processed. New connections are processed with the new rule. Adding new keep limit rules The following procedures describe how to dynamically add new rules to active rules files. Adding a new individual keep limit rule 1. 2.
To query the current DCA setting, use the following command: ipf -m q You can toggle between being enabled or disabled by using the following command: ipf -m t Configuring IPFilter to enable DCA at system startup To configure IPFilter to automatically enable DCA at system startup: 1. Open /etc/rc.config.d/ipfconf, the IPFilter startup configuration file. 2. Choose one of the following: • Set the DCA_START flag to 1 to enable DCA. • Set the DCA_START flag to 0 to disable DCA. This is the default setting.
You can display rule hit counts by using the ipfstat -ioh command. This command is useful as a troubleshooting mechanism, along with ipfstat -sl and ipfstat-vL, which enables connections to be examined in realtime. Lastly, logging can be used to analyze history for past connections. Limits and hit counts Configuring rules with cumulative and noncumulative limits affects rule hit counts. IPFilter registers rule hits differently for cumulative and noncumulative limits.
6 Configuring and loading NAT rules NAT rules configuration file IPFilter loads and evaluates NAT rules separately from filter rules. Do not configure NAT rules in the same file with filter rules. The default name for the HP-UX IPFilter NAT rules file is /etc/opt/ ipf/ipnat.conf. To specify an alternate NAT rules file name, set the IPNAT_CONF parameter in the IPFilter startup file, /etc/rc.config.d/ipfconf. To load NAT rules, use the ipnat utility. For more information, see Section (page 50).
NAT keywords IPFilter supports the following keywords for NAT (Network Address Translation) functionality: • map and mapblock The map and mapblock keywords rewrite or translate source addresses and port numbers for outbound packets. • rdr The rdr keyword redirects and translates destination addresses and port numbers for inbound packets. • bimap The bimap keyword translates addresses and port numbers for inbound and outbound packets.
address, specify 0/32, and IPFilter will use the currently assigned interface address as the target IP address. Examples The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the address 20.20.20.1 and transmits the packets using the lan0 interface: map lan0 192.168.1.0/24 -> 20.20.20.1/32 The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the current IP address for the lan0 interface, then transmits them using lan0: map lan0 192.168.
where: interface_name is the name of the network interface used to receive the packets. For example, lan1. destination_ip is the destination IP address. This can a subnet address or 0.0.0.0/0 to match any address. target_ip is the target IP address. IPFilter translates the destination IP address to the target IP address.
Using the rdr and round-robin keywords for load balancing You can use the rdr keyword with the round-robin keyword to implement load-balancing systems and redirect traffic to multiple addresses. Separate the target addresses with a comma. For example: rdr lan0 20.20.20.5/32 port 80 -> 192.168.0.5,192.168.0.6 port 8000 round-robin You can specify only two target addresses in each round-robin rule, but you can configure two rdr rules for the same interface, for a total of four target addresses.
• l4check cannot add rules with sticky password. • This feature is available only on HP-UX 11i v3. Syntax l4check [-nv] -f Options -n Do not add to or delete NAT rdr rules. Only print any action to stdout. -v Prints verbose output to stdout. -f Specifies the configuration file l4check requires. For more information about how to populate the configuration file, see the /etc/opt/ipf/ l4check.conf_template file. Sample l4check.
# # List the different "remote server" i.e. the "IP Address,port" combination. # This list will be used for testing the connections if successful within # timeout, probe with request if provided and check for response if provided. # # Below is a sample list. remote server 192.168.1.2,23 remote server 192.168.1.2,2101 remote server 192.168.1.3,25 remote server 192.168.1.254,8000 remote server 192.168.1.
NOTE: • If HP-UX IPFilter is already running, you must restart the IPFilter to activate the new value. • If the value of ipnat_largenat_enable is changed when IPFilter is running, the following warning message displayed along with the current value in effect: WARNING: Changes to ipnat_largenat_enable will take effect only after restarting IPFilter. Value in effect is 0. • Enabling ipnat_largenat_enable unlocks and allows the users to change the HASH table sizes of HP-UX IPFilter.
Table 2 HASH table tunables (continued) NOTE: The number of RDR rules actually loaded on the system can be more than the value configured for ipnat_rdr_size tunable. ipnat_rdr_size tunable increases the chances of a faster rule search. ipnat_nat_table_size Using this tunable, you can tune the size of HASH tables, which hold the ACTIVE NAT (MAP and RDR) connection entries at any given time. The default value is 127(minimum) and the maximum value is 16383.
SIZE OF NAT RULES HASH TABLE 1024 SIZE OF RDR RULE HASH TABLE 2047 List of active sessions MAP 20.20.1.1 59034 <- -> 10.10.1.2 59034 [10.10.1.1 23] When ipnat_largenat_enable is disabled. $ ipnat -hl List of active MAP/Redirect filters: 1 map lan1 20.20.1.1/32 -> 10.10.1.2/32 tag test-tag List of active sessions MAP 20.20.1.1 59034 <- -> 10.10.1.2 59034 [10.10.1.
to the specific environment requirements. Setting this value to higher results in stale TCPIP idle connection to persist. This in turn affects the performance of other NAT operations.
7 Address pooling NOTE: Address pooling is available only on HP-UX 11i v3. The ippool utility Address pools establish a single reference that is used to name a group of address/netmask pairs. Address pools: • Facilitate management of large groups of addresses • Reduce time to match IP addresses with rules • Improve performance The ippool utility manages information stored in the IP pools subsystem of IPFilter. Configuration file information can be parsed and loaded into the kernel.
role Specifies the role of the pool IN. The only role for reference is ipf. type Specifies the storage format for the pool. There are two supported storage formats; tree (pool) and hash table. number/name Specifies the reference number/name that is used by the filtering rule. Examples The following example creates an address pool using the tree storage format that is referenced in the IPF rule which allows packets from this pool. table role = ipf type = tree name = mypool { 10.1.1.41/32; 10.1.1.
8 Tips for securing your system Blocking services by port number and protocol To create a ruleset that explicitly passes packets for a specific service or services, but blocks all other traffic: 1. Configure pass rules with the quick keyword to allow packets for specific services by port number and protocol. 2. At the end of the ruleset, configure a rule to block all traffic (block in all).
Creating a complete filter by interface When you create a ruleset, you should configure rules for all directions and all interfaces. The default state of IPFilter is to pass packets both in and out. Instead of relying on the IPFilter default behavior, make every ruleset as specific as possible, interface by interface, until all possibilities are explicitly covered.
block in quick on lan0 from 10.0.0.0/8 to any block in quick on lan0 from 127.0.0.0/8 to an block in quick on lan0 from 20.20.20.0/24 to any pass in all Using bidirectional filtering You can use bidirectional filtering to limit packets leaving a system to those that come from a specific subnet. For example, to limit traffic passing out of the IPFilter system to packets coming from the 20.20.20.0/24 subnet, configure the following rules: pass out quick on lan0 from 20.20.20.
9 Troubleshooting HP-UX IPFilter Viewing IPFilter statistics and active rules with ipfstat The ipfstat utility displays IPFilter statistics, including how many packets have been passed or blocked, whether the packets were logged or not, how many state entries have been made, and DCA statistics. You can also use options with ipfstat to display active rules. Syntax ipfstat [-options] Options For a complete list of ipfstat options, see the ipfstat manpage.
-r group:rule Displays the limit statistic by rule number. If you specify this option with the -6 option, ipfstatdisplays the IPv6 rule; if you specify this option without the -6 option, it displays the IPv4 rule. -v Sets verbose mode. Use for debugging. NOTE: Statistics counters cannot increment when both active in and out rulesets are empty. This is due to a performance optimization that bypasses IPFilter when there are no active rulesets present.
This status report shows that the ruleset may not be working as intended. Many outbound packets are being blocked despite a pass out rule configured to pass most outbound packets. ipfstat cannot indicate whether a ruleset is configured correctly. It can only display what is happening at the present time with a given ruleset. Set the -n option to display the rule number next to each rule. The rule number appears as @group:rule. This can help you determine which rules are incorrectly configured.
The following is an example of the output information of the ipfstat -L option. Current connections to limited IP addresses Connection Type Active Limits Individual 2 Subnet 3 Cumulative 5 Unknown IP 9 Total 19 No Memory Logged Records Log Failures Limits Added Add Failures 0 13 0 13 0 • The first six lines display the number of current active connections of each described type. • No Memory is the number of times a limit entry could not be created because no memory was available.
S—IP subnet C—Cumulative U—Unknown IP These limit entries are created through the default rule. See Section (page 35) for detailed information on the different types of limit entries. • The Rule column displays the rule number that caused the creation of this limit entry. This information can in turn be used to get per-rule statistics using the ipfstat -r command. • The third through sixth columns display IP-port pairs of the TCP connection.
Each packet descriptor must be contained on one line. By default, the format for each packet descriptor is as follows: in|out [on interface] [protocol] src_host[,src_port] dest_host[,dest_port] [flags] Where: interface Specifies the interface name, such as lan0. protocol Specifies the protocol name. Valid values are: tcp udp icmp icmpv6 src_host Specifies the source IP address or host name. src_port Specifies the source TCP or UDP port number.
in on lan0 udp 10.1.81.195,16000 10.1.84.196,16000 in on lan1 udp 10.1.81.195,16000 10.1.85.196,16000 out on lan0 udp 10.1.84.196,16000 10.1.81.195,16000 out on lan1 udp 10.1.85.196,16000 10.1.81.195,16000 out on lan0 icmp 10.1.84.196 10.1.84.195 in on lan0 icmp 10.1.84.195 10.1.84.196 out on lan0 udp 10.1.80.196,16001 10.1.84.195,16000 out on lan0 udp 10.1.80.196,16001 10.1.85.195,16000 in on lan0 udp 10.1.84.195,16000 10.1.80.196,16001 in on lan0 udp 10.1.85.195,16000 10.1.80.
nomatch ip 28(20) 17 10.1.84.196,16000 > 10.1.81.195,16000 -------------input: out on lan1 udp 10.1.85.196,16000 10.1.81.195,16000 nomatch ip 28(20) 17 10.1.85.196,16000 > 10.1.81.195,16000 -------------input: out on lan0 icmp 10.1.84.196 10.1.84.195 nomatch ip 48(20) 1 10.1.84.196 > 10.1.84.195 -------------input: in on lan0 icmp 10.1.84.195 10.1.84.196 pass ip 48(20) 1 10.1.84.195 > 10.1.84.196 -------------input: out on lan0 udp 10.1.80.196,16001 10.1.84.195,16000 nomatch ip 28(20) 17 10.1.80.
cron ftp authpriv audit logalert local0 local1 local2 local3 local4 local5 local6 local7 The valid values for priority are: emerg alert crit err warn notice info debug Example: block in log level auth.info quick on lan0 from 20.20.20.0/24 to any block in log level auth.alert quick on lan0 proto tcp from any to 20.20.20.0/24 port = 21 first You can use the first option with the log keyword to log only the first instance of a certain type of packet.
-o [NSI] Specifies which log file to read data from. Valid values are: • N—NAT log file • S—State log file • I—IPFilter log file -A Logs the summary records created for DCA logging. -r Prints the summary records to the summary log file and clears the connection exceeded counter for each limit entry. -F Flushes the packet log buffer. Output displays the number of bytes flushed. -n Maps IP addresses and port numbers to host names and services wherever possible.
Use the ipfstat -in command to determine the text of the rule that created the log entry. In the previous example, you would use this command to look at rule 2 in rule group 0 (@0:2). IPFilter sometimes logs a packet matching a keep state rule in the normal (non-state) IPFilter log file. This occurs when a packet matching a keep state rule has the same sequence number as a packet matching a normal (non-state) rule that has logging enabled. IPFilter.
If an ICMP packet is going to 10.1.1.40 and it is allowed as per configured IPF rules, then ipmon logs this packet in syslog. For example: match { dstip = 10.1.1.40/32, protocol = icmp, result = pass } do { syslog }; If a packet is coming on interface lan4 and it matches to a keep state rule, then ipmon logs it in syslog and saves the log in a separate file /state_save.
If your rules file blocks packets for network services that last effective rule amounts to “block in all,” the boot sequence might not complete, for example, when sendmail, SNMP, and NIS are configured on the system. • Nothing is logged. Verify the following: ipf -V should show the logging file as available. ps -ef|grep ipmonto verify if ipmon is running. During bootup, ipmon is started.
• • ◦ ipfstat -hio ◦ ipfstat -Iio ◦ ipfstat -s ◦ ipfstat -sl ◦ ipfstat -f ◦ ipfstat -g ◦ ipfstat -Q (on HP-UX 11i v3 systems) Relevant IPFilter configuration files: ◦ /etc/rc.config.d/ipfcon ◦ /etc/opt/ipf/ipf.conf (or alternate IPv4 filter rules file) ◦ /etc/opt/ipf/ipnat.conf (or alternate NAT rules file) ◦ /etc/opt/ipf/ipf6.conf (or alternate IPv6 filter rules file) IP configuration file: /etc/rc.config.
10 HP-UX IPFilter utilities The ipf utility The ipf utility performs a broad range of actions on the active and inactive IPFilter rulesets. You can use ipf to add rules, delete rules, switch active and inactive rulesets, and flush the existing ruleset from the system. You can perform other actions with ipf. See the ipf manpages for more information.
• q Queries whether DCA is disabled or enabled. • t Toggles DCA between disabled or enabled. There is a single DCA mode for both IPv4 and IPv6 DCA processing. Specifying the -6 option with the -m option has no effect. See Section (page 41) for more information about how to disable, enable, query, or toggle DCA. TIP: If you have no DCA rules (no keep limit rules), HP recommends that you disable DCA. -E interface_name Enables IPFilter processing for traffic on a given interface.
-C Deletes the current ruleset. -F Flushes active mappings. -r Removes rules from the NAT rules file. Example Enter the following command: ipnat -CF -f /etc/opt/ipf/ipnat.conf This command flushes any existing NAT rules and removes any active mappings, then loads the NAT rules in the ipnat.conf file. The ipfilter utility (HP-UX 11i v3) The ipfilter utility enables, disables, and reports the IPFilter state. The ipfilter utility is supported only on HP-UX 11i v3.
The ippool utility The ippool utility is used to manage information stored in the IP pools subsytem of IPFilter. For more information, see Chapter 7 (page 55) or the ippool(8) manpage. Syntax ippool -options Global options -d Toggle debugging of processing the configuration file. -n Prevents ippool from making ioctl calls or altering the running kernel. -v Turns verbose mode on. Command options -a Adds a new data node to an existing pool in the kernel. -A Adds a new (empty) pool to the kernel.
11 HP-UX IPFilter and ICMP Filtering ICMPv4 packets by type and code: icmp-type and code You can filter specific types of ICMPv4 (ICMP) traffic using the icmp-type and code keywords. These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service (DoS) attacks, but must allow certain types of ICMP messages in and out of your system. You must specify proto icmp to use the icmp-type and code keywords.
Table 3 ICMP type and codes (continued) Type Code icmp-type Meaning icmp-code 4 0 5 squench SOURCE QUENCH redir REDIRECT network host network & TOS host & TOS 8 0 echo ECHO REQUEST (ping request) 0 routerad ROUTER ADVERTISEMENT 0 routesol ROUTER SOLICITATION timex TIME EXCEEDED 11 TTL=0 during transmit TTL=0 during reassembly 12 paramprob PARAMETER PROBLEM 13 0 timest TIMESTAMP REQUEST 14 0 timestrep TIMESTAMP REPLY 15 0 inforeq INFO REQUEST (obsolete) 16 0 inforep
NOTE: Note: If your topology matches the following conditions, your system may mark gateways "down" and the system will lose connectivity to remote systems through those gateways. • The local system is an HP-UX 11i v1 system without patch PHNE_35351 or later installed, or an HP-UX 11i v2 system without patch PHNE_35765 or later installed. • The ip_ire_gw_probe feature is enabled (ip_ire_gw_probe is set to 1).
IPFilter configuration HP recommends that you configure IPFilter to process ICMP redirect messages as follows: • End systems On end systems, block all inbound ICMP redirect messages without logging them. Block all outbound ICMP redirect messages (end systems have no need to send ICMP redirect messages).
Using ndd to configure ICMPv4 kernel parameters The ICMPv4 (ICMP) kernel tunable parameters in this chapter are all configured using the ndd utility. Parameter values that you set by running ndd are not retained when the system reboots. You can configure parameter values in the ndd startup file, /etc/rc.config.d/nddconf, so ndd will set the configured values each time the system starts up. To add an ICMP configuration value to /etc/rc.config.
For example, to block inbound Node Information Queries (type 139) to your system (2001:db8::1), create the following rule: pass in quick proto icmp from any to 2001:db8::1 icmpv6-type 139 Controlling ICMPv6 router discovery and neighbor discovery messages By default, HP-UX IPFilter allows ICMPv6 Router Discovery and Neighbor Discovery messages to bypass (pass through) IPFilter rulesets and always pass in and out of the system.
12 HP-UX IPFilter and FTP CAUTION: NAT and FTP are incompatible. If you are using FTP on your IPFilter system, do not use NAT rules. FTP basics The FTP is a user-level protocol for transferring files between host computers. An FTP session involves two separate connections: • Control connection 1. The server listens for client connections on port 21. 2. The client opens a connection to the server port 21 on a client port above 1023. 3.
Active FTP FTP Server Direction of Connection Initiated FTP Client Port 21 (control port) <---------------- Any port 1024 or higher Port 20 (data port) ----------------> Any port 1024 or higher On an FTP server using active FTP, configure IPFilter rules to allow control connections in and data connections out.
Passive FTP FTP server Direction of connection initiated FTP client port 21 (control port) <---------------- any port 1024 or higher any port 1024 or higher (data port) <---------------- any port 1024 or higher To let an FTP client open a passive FTP session, configure IPFilter to allow both the control and data connections out.
13 HP-UX IPFilter with NFS and RPC Introduction The NFS service uses multiple daemons. The NFS daemon, nfsd, listens for requests on the static (fixed) TCP and UDP port number 2049. By default, the auxiliary daemons used for the NFS services—rpc.lockd (lockd), rpc.mountd (mountd), and rpc.statd (statd)—listen for service requests on dynamic port numbers. These daemons use the Remote Procedure Call (RPC) protocol and register port numbers with the port mapper daemon (rpc.
Using the rpc.ipfboot script to update IPFilter rules The /etc/opt/ipf/rpc.ipf/rpc.ipfboot script to queries the port mapper and updates IPFilter rules files with the appropriate port numbers. This script is useful if you cannot run the auxiliary NFS daemons using fixed ports as described in the previous section, or if you want IPFilter to process packets for other daemons that use the RPC mechanism. NOTE: The files and scripts used in this procedure serve as basic building blocks for use at startup time.
The /etc/opt/ipf/rpc.ipf/rpc_ipfconf file contains the client list and program list. The sample file grants access to the program numbers listed from the IP addresses and IP subnets listed in the client list. The example shown in the sample file lists the program numbers used by an NFS server, rpc.mountd, rpc.statd, rpc.lockd, and nfsd. This file also has the following declared: • ADD_RPC_IPFILTER_RULES=1 Set this to 1 to configure RPC IPFilter rules.
14 HP-UX IPFilter and IPSec IPFilter and IPSec basics IPSec and IPFilter will not panic or corrupt each other. However, there are situations in which one product might block traffic for the other. The following figure shows the positions of IPFilter and IPSec in the network stack: Figure 1 IPFilter and IPSec IPFilter, which is below IPSec in the networking stack, filters network packets before they reach IPSec.
To enable IPSec to complete IKE negotiations, configure IPFilter to allow the IKE negotiation packets through. Figure 3 Scenario two In Scenario two, IPFilter is configured to block UDP traffic on system A, you want all TCP traffic to pass through . From system B on the network, you want all TCP traffic encrypted. System A has IP address 10.10.10.10 and system B has IP address 15.15.15.15. You configure IPSec on each system to encrypt packets between two systems.
Figure 5 Packet with unencrypted TCP data Figure 6 Packet with IPSec-encrypted TCP data IPFilter never sees the TCP packets between system A and system B with a protocol number of 6. These packets are encrypted (or wrapped) in a packet that has a protocol number of 50. If you configure IPFilter to block packets with protocol number 6, it lets protocol number 50 pass through. IPSec takes apart the packet and decrypt the TCP data.
15 HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard HP-UX IPFilter supports local failover in a Serviceguard environment. CAUTION: NAT functionality is not supported with Serviceguard. Enabling or disabling IPFilter CAUTION: HP recommends that you enable or disable IPFilter when interrupting network connectivity is not disruptive. Additionally, HP recommends that you do not enable or disable HP-UX IPFilter when critical network applications are running.
for each node in the cluster. Rules that filter on interface names will also be different on different nodes in a cluster. Filtering on a package IP address HP-UX IPFilter can filter on a package IP address. The package IP address is an IP address that corresponds to a logical network interface. For example, a telnet connection is made to the primary cluster node with a package IP address of 17.13.24.105. You want to configure IPFilter to let telnet traffic through.
Rules for intra-cluster communication To ensure proper operation of your Serviceguard cluster, you must configure IPFilter rules for each configured Serviceguard heartbeat subnet to allow intra-cluster communication.
Rules for external access The following subsections describe rules to allow packets for external clients and servers used in a Serviceguard environment. These sections provide guidelines only. You might need to modify them to work with your network configuration and the applications you use. Specific applications used within the Serviceguard cluster might require additional ports to be opened.
Cluster object manager If you are using a Cluster Object Manager (COM) on a node outside of the cluster to provide connections to Serviceguard Manager clients, each node in the cluster must have the following rules configured: pass in quick proto tcp from com_node to cluster_nodes port = 5302 flags S keep state pass in quick proto udp from com_node to cluster_nodes port = 5302 keep state pass out quick proto tcp from cluster_nodes to com_node port 49151 >< 65535 keep state pass out quick proto tcp from clu
Consolidated log: clog If you are using the consolidated log package, clog, add the following rules for the configured clog TCP port number: pass in quick proto tcp from smh_mgmt to cluster_nodes port = clog_tcp keep state pass out quick proto tcp from cluster_nodes to smh_mgmt keep state In the previous set of rules, cluster_nodes are all nodes in the cluster, smh_mgmt is the address of the SMH Management Station, and clog_tcp is the TCP port configured for the clog package.
16 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you call contact HP: • Technical support registration number (if applicable) • Product serial number • Product model name and number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authorized reselle
audit(5) A manpage. The manpage name is audit, and it is located in Section 5. Command A command name or qualified command phrase. Computer output Text displayed by the computer. Ctrl+x A key sequence. A sequence such as Ctrl+x indicates that you must hold down the key labeled Ctrl while you press another key or mouse button. ENVIRONMENT VARIABLE The name of an environment variable, for example, PATH. ERROR NAME The name of an error, usually returned in the errno variable.
17 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
A Product specifications Configuration files HP-UX IPFilter uses the following configuration files: • /sbin/init.d/ipfboot The startup script for the ipf module. • /etc/rc.config.d/ipfconf Configuration file for the ipfboot startup script. The information in this file determines how HP-UX IPFilter starts when the system is booted and also specifies the location of the rules files. • /etc/opt/ipf/ipf.conf The default IPFilter IPv4 rules file.
• /sbin/ipnat • /opt/ipf/bin/ipfilter (supported on HP-UX 11i v3 only) Unsupported utilities HP does not support the following public domain IPFilter utilities and commands: • • • Rule keywords ◦ dup-to ◦ fastroute ◦ to Commands ◦ ipscan ◦ ipsyncs ◦ ipsyncm ◦ ipfs ◦ ipsend ◦ ipresend Application proxy Supported and unsupported interfaces The following table lists the interfaces supported for the current versions of HP-UX IPFilter.
Table 4 HP-UX IPFilter supported interfaces IPFilter version Supported interfaces • Ethernet (10Base-T) • Fast Ethernet (100Base-T) • Gigabit Ethernet (1000Base-T) • 10 Gigabit Ethernet HP-UX A.11.xx.17.xx • APA HP-UX A.11.xx.18.xx • VLAN • FDDI • Token Ring • InfiniBand (supported on HP-UX 11i v2 only) • X.25 (supported on HP-UX 11i v3 only) • Ethernet (10Base-T) • Fast Ethernet (100Base-T) • Gigabit Ethernet (1000Base-T) • 10 Gigabit Ethernet HP-UX A.11.xx.
Table 4 HP-UX IPFilter supported interfaces (continued) IPFilter version Supported interfaces • VLAN A.03.05.06 • FDDI • Token Ring The following interfaces are unsupported (not protected by HP-UX IPFilter): • ATM • Hyperfabric • InfiniBand (supported on HP-UX 11i v2, but not on other HP-UX versions) • X.
B HP-UX IPFilter configuration examples This appendix provides IPFilter configuration examples that are also included in the/opt/ipf/ examples directory with HP-UX IPFilter. You can take useful rules that you find in these examples and copy them into /etc/opt/ipf/ipf.conf, which is your HP-UX IPFilter configuration file. These files are taken from the files provided with the open source IPFilter product. BASIC_1.
pass in quick proto tcp from any to any port = ftp-data keep state group 201 pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 # # Allow NTP from any internal host to any external NTP server.
#------------------------------------------------------# Localhost packets. # ================== # packets going in/out of network interfaces that aren’t on the # loopbackinterface should *NOT* exist block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 200 block in log quick from any to 127.0.0.
# # block all outbound packets. # block out from any to any # # # allow any host to send any IP packet out to a limited number # of hosts. # pass out from any to 10.1.3.1/32 pass out from any to 10.1.3.2/32 pass out from any to 10.1.3.3/32 pass out from any to 10.1.3.4/32 pass out from any to 10.1.3.5/32 pass out from any to 10.1.0.13/32 pass out from any to 10.1.1.1/32 pass out from any to 10.1.2.1/32 example.4 # # block all ICMP packets. # block in proto icmp from any to any # example.
example.7 # block all ICMP packets. # block in proto icmp all # # allow in ICMP echos and echo-replies. # pass in on lan1 proto icmp from any to any icmp-type echo pass in on lan1 proto icmp from any to any icmp-type echorep # # block all ICMP destination unreachable packets which are # port-unreachables # block in on lan1 proto icmp from any to any icmp-type unreach code 3 example.
# pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are # destined for localhost # pass in proto udp from 10.2.2.2 port != 53 to localhost # # block any packet trying to get to X terminal ports, X:0 to # X:9 # block in proto tcp from any to any port 5999 >< 6010 # # allow any connections to be made,except to BSD # print/r-services this will also protect syslog.
# pass in on lan0 to lan1:10.3.3.1 proto icmp all example.sr # # # # # # # # # log all inbound packets on lan0 which has IP options present log in on lan0 from any to any with ipopts block any inbound packets on lan0 which are fragmented and "too short" to do any meaningful comparison on. This actually only applies to TCP packets which can be missing the flags/ports (depending on which part of the fragment you see).
block in on lan0 proto icmp from any to 10.1.1.0/24 block in on lan0 proto icmp from any to 10.1.2.0/24 firewall #Configuring IP Filter for firewall usage. ========================================= Step 1 - Block out "bad" IP packets. -----------------------------------Run a) b) c) the perl script "mkfilters".
block out on lan0 proto udp all block in on lan0 proto udp all BASIC.NAT #!/sbin/ipnat -f # # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # lan0 - (internal) network interface, address w.x.y.z/32 # # If only one valid IP address from the ISP, then use this # rule: # map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 map ppp0 w.x.y.z/24 -> a.b.c.
# # # # # Redirection is triggered for input packets. For example, to redirect FTP connections through this box to the local ftp port and force them to connect through a proxy, you would use: rdr lan0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp nat-setup Configuring NAT on your network. ================================ To start setting up NAT, we need to define which is your "internal" interface and which is your "external" interface.
block out on ppp0 from 10.1.2.0/24 to any block in on ppp0 from any to 10.1.2.0/24 and use these with ipnat: map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap ipmon.
C HP-UX IPFilter kernel tunable parameters Overview HP-UX IPFilter supports the following kernel tunable parameters: Name Description Default value fr_tcpidletimeout The timeout period for TCP entries in the state table. 86,400 seconds fr_statemax Specifies the maximum number of state table entries that can 800,000 entries be created.
Name Range Default value Configuration utility HP-UX 11i v2 and HP-UX 11i v3: 240 - 86,400 seconds fr_statemax The fr_statemax parameter specifies the maximum number of entries in the IPFilter state table. Name Range Default value Configuration utility fr_statemax 4,000 - 1,600,00 entries 800,000 entries HP-UX 11i v1: kmtune HP-UX 11i v2 and HP-UX 11i v3: kctune IPFilter allocates state table entries for packets using stateful (keep state) and Dynamic Connection Allocation (keep limit) rules.
ipl_suppress The ipl_suppress parameter specifies the IPFilter logging behavior for identical log records. When this feature is enabled (the value is 1), IPFilter suppresses identical log records; instead of does not writing duplicate records, it writes the record and N where N is the number of times the record was repeated. If this feature is disabled, IPFilter writes all log records, including duplicate records.
Configuring kernel tunable parameters using ndd On HP-UX 11i v1 and HP-UX 11i v2 systems, use the ndd utility to configure and view the following IPFilter kernel tunable parameters: ipl_buffer_sz ipl_suppress ipl_logall cur_iplbuf_sz (read only) On HP-UX 11i v1, you can also use the ndd utility to configure and view the ipf_icmp6_passthru parameter, as described in Section (page 83). NOTE: You cannot add the IPFilter ndd variables to the ndd configuration file read at system startup time (/etc/rc.config.
Enabling and disabling NAT functionality The new ipnat_enable tunable is provided to enable/disable NAT functionality. By default, this tunable is set to 1. If you do not use NAT functionality, disabling this tunable will improve performance. NOTE: This available only on 11i v3.
D HP-UX IPFilter static linking Overview IPFilter has two kernel modules, pfil, a streams module and ipf, a WSIO pseudo driver. These are dynamically loadable kernel modules. When IPFilter is installed on an HP-UX system using swinstall, these two modules are loaded and configured as dynamically linked modules. They can be loaded and unloaded when required without shutting down the system as long as the modules are not currently in use.
2. Use the kmsystem command to find the status of each module. See the kmsystem(1M) manpage for more detail. For example: $ kmsystem -q pfil Module Configured Loadable pfil Y Y The output is similar for the ipf module. This output shows that the pfil module is loadable. 3. Use the kmsystem command to set the loadable parameter to N. $ kmsystem -l N -c Y ipf $ kmsystem -q ipf Module Configured Loadable ipf Y N $ kmsystem -l N -c Y pfil 4.
E Performance guidelines System configuration The following are four suggestions for HP-UX system configuration for optimal performance: Figure 8 Processing packets through a system Table 5 Processing packets through a system Packets from the internet Packets to the internet 1 Packets enter the system 5 Packets enter the system 2 Processed by inbound IPFilter processing 6 Processed by inbound IPFilter processing 3 Processed by outbound IPFilter processing 7 Processed by outbound IPFilter proce
You do not need to flush and reload an entire ruleset to modify some rules within the ruleset. Adding rules that already exist slows processing. If you are modifying a large ruleset, follow these steps: 1. Find the difference between the new ruleset and the current ruleset using the diff command. 2. Delete the old rules using the ipf -rf command. 3. If your ruleset contains keep limit rules, modify the rules with the ipf -f command. 4. Add the new rules using the ipf -f command.
• Consolidate rules whenever possible, to minimize searching. For example: pass pass pass pass pass pass pass pass pass pass in in in in in in in in in in quick quick quick quick quick quick quick quick quick quick proto proto proto proto proto proto proto proto proto proto tcp tcp tcp tcp tcp tcp tcp tcp tcp tcp from from from from from from from from from from 15.13.103.72 to any keep limit 80 15.13.103.0-15.13.103.6 to any keep limit 44 15.13.103.7 to any keep limit 33 15.13.103.
Figure 9 System operation Performance monitoring The performance of an IPFilter system depends primarily on four major factors: • Number and length of rule searches (rule organization) • Types of rules • Network traffic • System configuration Monitor your system performance to ensure proper operation. HP recommends the following: • Use ipfstat -ioh to monitor the rule searches. If a rule has a high hit count, this indicates that the rule can be optimized.
Index A E active rules list, 29 adding keep limit rules, 41 address pooling, 55 enabling, 76 examples configuration basic, 106, 107 TCP, 113 extension headers IPv6, 32 extracting keep limit rules, 41 B bidirectional filtering in keyword, 17 out keyword, 17 bidirectional filtering with IPSec, 91 bimap keyword, 50 block keyword, 17 blocked traffic IPSec correcting, 91 C checklist installation and configuration, 13 commands unsupported, 103 configuration checklist, 13 DCA rules file, 34 IPv6 rules file, 3
keeping state with, 25 icmp-type keyword, 22, 78 ICMPv6 IPv6, 32 in keyword, 17 inactive rules list, 29 installation checklist, 13 loading software, 13 prerequisites, 13 verifying, 14 integrating keep limit rules, 41 interface-specific filtering, 20 interfaces supported, 103 unsupported, 103 interoperability IPSec, 90 IP address filtering by, 17 limiting connections by, 35 ipf, 74 -6 option, 74 -A option, 29 -D option, 75 -E option, 75 -f option, 28, 33 -Fa option, 28, 74 -Fi option, 74 -Fo option, 74 -I op
debugging blocked traffic with, 91 gateway, 92 UDP negotiation, 90 IPSec and IPFilter, 90 IPv6 differences, 31 extension headers, 32 features, 31 file configuration, 31 filter rules, 31 fragmentation, 33 ICMPv6 filtering, 32 ipf, 33 protocol-based filtering, 32 rules configuration, 31 stateful ICMPv6, 32 tunneled packets, 32 unsupported features, 31, 102 K kcmodule, 15 static linking, 122 kctune, 119 keep frags keyword, 26 keep limit keyword, 35 keep limit rules adding, 41 adding a subnet or IP address ran
N NAT file configuration, 44 viewing and loading rules, 75 NAT keywords bimap, 50 map, 45 map-block, 46 portmap, 45 rdr, 46 nat tags, 30 netstat, 72 nslookup, 24 O on keyword, 20 opt keyword, 21 out keyword, 17 P package IP address, 94 pass keyword, 17 patch dependencies, 13 performance guidelines, 124 performance monitoring, 127 rule configuration, 125 rule loading, 124 system configuration, 124 traffic, 126 performance improvement, 27 performance information, 60 performance monitoring guidelines, 127 pf
single-user mode, 14 software, loading, 13 state aging, 25 state table dump, 62 static linking, 122 HP-UX 11i v1, 122 HP-UX 11i v2, 122 HP-UX 11i v3, 122 removing IPFilter software, 122, 123 sticky NAT sessions, 48 supported interfaces, 103 swinstall, 13 swlist, 13 system configuration guidelines, 124 system traffic guidelines, 126 T TCP configuration example, 113 TCP filtering, 18 TCP Wrapper, 59 testing IPFilter, 64 to keyword, 17 tracing layer 4, 72 tree structure, 27 troubleshooting, 71 rule change aft
