Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
51525354555657585960
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to an
block in quick on lan0 from 20.20.20.0/24 to any
pass in all
Using bidirectional filtering
You can use bidirectional filtering to limit packets leaving a system to those that come from a
specific subnet. For example, to limit traffic passing out of the IPFilter system to packets coming
from the 20.20.20.0/24 subnet, configure the following rules:
pass out quick on lan0 from 20.20.20.0/24 to any
block out quick on lan0 from any to any
If a packet originates from IP address 20.20.20.1/32, it is sent out by the first rule. If a packet
originates from IP address 1.2.3.4/32, it is blocked by the second rule.
You can also configure similar rules for non-routable addresses. If a system routes a packet through
IPFilter with a destination of 192.168.0.0/16, you can drop it to save bandwidth. Use the following
ruleset:
block out quick on lan0 from any to 192.168.0.0/16
block out quick on lan0 from any to 172.16.0.0/12
block out quick on lan0 from any to 10.0.0.0/8
This enhances the security of other systems. Spoofed packets cannot be sent from your site.
NOTE: The in and out directions refer to the IPFilter system only.
Using HP-UX IPFilter with end system security features
You can use HP-UX IPFilter on security features on end systems to complement local security features.
The following example is a ruleset configured to run on a system that also uses TCP Wrapper to
protect the network services.
pass in quick on lan0 all
pass out quick on lan0 all
block in log all
block out all
pass in quick proto tcp from any to any port = 113 flags S keep state
pass in quick proto tcp from any to any port = 22 flags S keep state
pass in quick proto tcp from any port = 20 to any port 39999 >
< 45000 flags S keep state
pass out quick proto icmp from any to any keep state
pass out quick proto tcp/udp from any to any keep state keep frags
This IPFilter ruleset provides enhanced protection for the system and services using TCP Wrapper.
Any security holes left by TCP Wrapper are plugged.
Using bidirectional filtering 59