Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
Filtering by network interfaces: on
The on keyword directs IPFilter to apply a rule to the specified network interface only.
The syntax is for specifying the on keyword is as follows:
on interface_name
where:
interface_name is a physical network interface name, such as lan0.
NOTE: The interface_name must be a physical interface name such as lan0. It cannot be
a logical interface name, such as lan0:1.
For example, your system has two interfaces, lan0 and lan1, and you want to block packets
received on the lan0 interface. Configure the following rules:
block in quick on lan0 all
pass in all
The on keyword in the first rule specifies that the rule applies only to packets processed for the
named interface, lan0; because the direction for this rule is in, the rule applies only to inbound
packets received on lan0, which IPFilter blocks. If the system receives an inbound packets on
another interfaces, such as lan1, the first rule does not match. The second rule matches, and
IPFilter allows the packet to pass.
You can also filter traffic using both IP addresses and network interface names. For example, you
want IPFilter to allow all inbound packets received from the subnet 192.168.0.0/16 only if they
are received on lan1. Configure the following rules:
pass in quick on lan1 from 192.168.0.0/16 to any
block in from 192.168.0.0/16 to any
The first rule allows packets from the 192.168.0.0/16 subnet to pass if they are received on the
lan1 interface. The on lan1 specification directs IPFilter to pass these packets only if they are
received on the lan1 interface. If the system receives a packet from the 192.168.0.0/16 subnet
on any other interface, the packet matches the second rule, and IPFilter blocks it.
Protocol options: TCP flags, IP options and fragments, ICMP types and
state information
IPFilter supports options to filter packets based on the following protocol information:
TCP flags (flags)
IP options (with opt and with ipopt)
IP fragments (with frag and with short)
ICMP type and codes (icmp-type and code)
State information (keep state)
IP fragments (keep frags)
Option order
If you specify protocol options, you must insert them after the ip_selector:
block|pass in|out [processing_options] [proto protocol] ip_selector
[protocol_options]
The ip_selector is the from...to IP address and port number specification or the keyword
all, as defined in Section (page 16).
If you specify more than one processing option, you must specify them in the following order:
20 Configuring and loading IPv4 filter rules