Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
Filtering: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
2. Verify HP-UX IPFilter is correctly loaded.
On HP-UX 11i v2 and HP-UX 11i v3:
# kcmodule -v -q pfil
# kcmodule -v -q ipf
Verify that the state is loaded.
Step 4: (Optional) Modifying kernel tunable parameters
HP-UX IPFilter supports kernel tunable parameters that affect IPFilter logging behavior and the
IPFilter state table. For information about modifying the parameters, see Appendix C (page 117).
In addition, Chapter 11 (page 78) describes system kernel tunable parameters that control ICMP
features and how to configure the parameters to optimize security.
NOTE: The HP-UX IPFilter installation script disables subnet broadcast packet forwarding by
setting the kernel tunable parameter ip_forward_directed_broadcasts to 0. HP recommends
that you leave this feature disabled unless you have a specific need for your node to forward subnet
broadcast packets. Attackers can use subnet broadcast packet forwarding to amplify attacks in
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Removing HP-UX IPFilter
Use the following procedure to remove HP-UX IPFilter.
1. On HP-UX 11i v3 systems, disable HP-UX IPFilter:
/opt/ipf/bin/ipfilter -d
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. Additionally, HP recommends that you do not enable or disable
HP-UX IPFilter when critical network applications are running.
IMPORTANT: Disabling or enabling IPFilter brings down all IP interfaces, and then brings
up only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/
rc.config.d/netconf-ipv6 files. IP addresses not configured in the netconf or
netconf-ipv6 file, such as Serviceguard relocatable IP addresses, are not re-enabled.
IMPORTANT: Enabling or disabling IPFilter causes the system to briefly lose network
connectivity. If a system has several IP interfaces or heavy network traffic occurs, the time
required to re-establish network connectivity might be interpreted as a network or card failure.
For example, Serviceguard might interpret a network interruption as a card failure, which can
cause it to reform the cluster.
2. Remove HP-UX IPFilter:
swremove IPFilter
Step 4: (Optional) Modifying kernel tunable parameters 15