HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)
pass in on lan0 all group 1
pass out on lan0 all
block out quick on lan1 all head 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 20 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.65/32 port = 53 flags S keep state group 10
pass out quick on lan1 proto udp from any to 20.20.20.65/32 port = 53 keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.66/32 port = 53 flags S keep state group 10
pass out quick on lan1 proto udp from any to 20.20.20.66/32 port = 53 keep state group 10
For a host on the lan2 network, IPFilter bypasses all the rules in group 10 when a packet is not
destined for hosts on that network.
Multi-level grouping is also supported, enabling IPFilter rules to be arranged in hierarchical, nested
groups. By using the head and group keywords in a rule, multi-level grouping enables the user
to fine tune a range to improve performance. The following is an example of a multi-level rule
grouping:
pass in proto tcp from 1.0.0.0-9.0.0.0 to any port = 23 keep state head 1
pass in proto tcp from 2.0.0.0-8.0.0.0 to any port = 23 keep state head 2 group 1
pass in proto tcp from 3.0.0.0-7.0.0.0 to any port = 23 keep state head 3 group 2
pass in proto tcp from 4.0.0.0-6.0.0.0 to any port = 23 keep state head 4 group 3
pass in proto tcp from 5.0.0.0-5.5.0.0 to any port = 23 keep state group 4
You can group your rules by protocol, system, netblock, or other logical criteria that help system
performance. The maximum number of nested group levels you can configure is 128. For more
information, see Appendix E (page 124).
Rule groups can also be referenced by names on HP-UX 11i v3. Referencing groups by name
makes rule configuration more readable and helps in assigning some meaningful group name.
For example, if three groups are for external network, DMZ network, and protected network, then
you can refer to groups with the following group name:
block in quick on lan0 all head external-group
block in quick on lan0 from 192.168.0.0/16 to any group external-group
block in quick on lan0 from 172.16.0.0/12 to any group external-group
block out quick on lan1 all head DMZ-group
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group DMZ-group
pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state group DMZ-group
block out quick on lan2 all head protected-group
pass out quick on lan2 proto tcp from any to 20.20.20.164/26 port = 80 flags S keep state group protected-group
pass out quick on lan2 proto tcp from any to 20.20.20.164/26 port = 21 flags S keep state group protected-group
Loading IPv4 filter rules
By default, HP-UX IPFilter starts on bootup and loads IPv4 filter rules from the /etc/opt/ipf/
ipf.conf file. If you do not want IPv4 filter rules to load on bootup, place your rules in an alternate
location and then manually load the rules using the ipf command. The following tasks are some
of the most commonly used:
• To add new rules to your ruleset from a file, use the -f option with the ipf command:
ipf -f rules_file
If a rule in the file is already loaded in the ruleset, IPFilter will print a message but continue
processing the file.
NOTE: When you load a ruleset, the new rules affect all matching packets immediately,
including packets for established connections. For example, if you load a new rule that blocks
telnet packets, IPFilter will block all telnet packets, including packets for established
telnet connections. The only exception to this behavior is for packets that match entries in
the IPFilter state table. In this case, IPFilter continues to apply the existing action (pass or block)
for these packets until the state table entry times out or is deleted (such as when the connection
is closed).
• To flush all rules from your ruleset, use the ipf -Fa command:
ipf -Fa
28 Configuring and loading IPv4 filter rules