HP-UX IPFilter V18.21 Release Notes HP-UX 11i v3 Abstract This document provides information about new and changed features for HP-UX IPFilter V.18.21. This document is intended for anyone who installs and uses HP-UX IPFilter. The information in this document assumes that you have experience with administering an HP-UX operating system.
© Copyright 2014 Hewlett-Packard Development Company, L.P Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle......................................................................4 1 About this product......................................................................................5 Benefits and features.................................................................................................................5 2 Enhancements in this release........................................................................7 3 Fixes in this release............................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 About this product HP-UX IPFilter, product number B9901AA V18.21 is a TCP/IP packet filter suitable for use as a system firewall to protect back-end servers. The firewall functions as a security defense by cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product (developed by Darren Reed), HP does not support some of the perimeter firewall features in that release.
• Supports NAT, which lets an intermediate HP-UX system act as a translator of IP addresses and network ports • Sends back ICMP error/TCP reset for blocked packets • Keeps packet state information for TCP, UDP, and ICMP • Keeps fragment state information for any IP packet, applying the same rule to all fragments • Drops all fragmented traffic if specified by rule • Redirects packets for forensic analysis if specified by rule • Creates extensive logs when required • Supports IPv6 • Suppor
2 Enhancements in this release This chapter discusses the new features or enhancements provided in this release. • Support for LARGE NAT feature in IPFilter— Enabling LARGE NAT allows fine tuning of IPFilter NAT HASH table sizes. Tuning the HASH table sizes may reduce the number of HASH collisions, which results in faster search in the HASH tables and increased throughput. The size of all the hash tables is 127 by default. The size can be tuned using kctune parameters.
3 Fixes in this release This chapter discusses the defects fixed in this release.
4 Compatibility information and installation requirements Software requirements The system must have standard HP-UX 11i v3 core products installed.
• 135—Neighbor solicitation • 136—Neighbor advertisement Disk space required for installation This product requires 10MB of disk space.
5 Issues and solutions • Using the pps option with keep state The rate base filtering option pps is only applied to the first occurrence of the packet for which state gets stored. That is, after a state entry is added into the state table, rate based filtering does not apply. For example: pass in quick proto tcp from any to 10.2.2.2/32 port = 80 flags S keep state pps 10 In the above example, rate based filtering is applied on the incoming connection (SYN packet) only.
6 Other product information Supported and unsupported interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION: For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. HP-UX IPFilter is not tested with any third party products. Table 1 HP-UX IPFilter supported interfaces 12 IPFilter version Supported interfaces A.11.31.18.
Table 1 HP-UX IPFilter supported interfaces (continued) IPFilter version Supported interfaces • Gigabit Ethernet (1000Base-T) • 10 Gigabit Ethernet • APA A.11.31.18.21 • VLAN • FDDI • Token Ring • X.25 (supported on HP-UX 11i v3 only) • Ethernet (10Base-T) • Fast Ethernet (100Base-T) • Gigabit Ethernet (1000Base-T) • 10 Gigabit Ethernet A.11.xx.17.xx • APA • VLAN • FDDI • Token Ring • InfiniBand (supported on HP-UX 11i v2 only) • X.
Table 1 HP-UX IPFilter supported interfaces (continued) IPFilter version Supported interfaces A.03.05.10.02 • Token Ring A.03.05.10.04 • InfiniBand (supported on HP-UX 11i v2 only) A.03.05.06.v2 • Ethernet (10Base-T) Open source versions: • Fast Ethernet (100Base-T) A.03.05.09 • Gigabit Ethernet (1000Base-T) A.03.05.08 • APA A.03.05.07 • VLAN A.03.05.
• The fr_limitmax tunable has been deprecated and no longer used to control the number of limit entries that can be created on the system. • The ipfstat command does not support authorization statistics. Features not supported with IPv6 The following features are not supported with IPv6: • Dynamic Connection Allocation (DCA) (the configuration of the IPv6 keep limit rules is not allowed.
7 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authorized reseller, see the Contact HP worldwide (in Engl
For more information on Configuring and Using HP-UX IPFilter, see HP-UX IPFilter Version 18.21 Administrator Guide at HP Support Center. For information about HP-UX Bastille, see the HP-UX Bastille Version User Guide at: HP Support Center. Typographic conventions This document uses the following typographical conventions: %, $, or # A percent sign represents the C shell system prompt. A dollar sign represents the system prompt for the Bourne, Korn, and POSIX shells.
