HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

14 HP-UX IPFilter and Serviceguard

This chapter describes configuration procedures for HP-UX IPFilter used in a Serviceguard

environment.

It contains the following sections for using HP-UX IPFilter with Serviceguard:

• “Local Failover” (page 115)

• “Remote Failover” (page 115)

— “Filtering on a Package IP Address” (page 116)

— “Mandatory Rules” (page 116)

• “DCA Remote Failover” (page 119)

Using HP-UX IPFilter with Serviceguard

HP-UX IPFilter supports local failover in a Serviceguard environment.

CAUTION: NAT functionality is not supported with Serviceguard.

Local Failover

NOTE: See the Serviceguard documentation for information on configuring a local failover

system in Serviceguard.

IPFilter local failover is transparent to users. Network sessions are not disrupted during failover

or failback.

You do not need to configure any additional rules in IPFilter. When an interface fails over, the

HP-UX IPFilter rules that specify interface names are automatically changed.

For example, a node in a Serviceguard cluster has a primary interface named lan0 and a standby

interface named lan1. The following rule is configured for lan0:

pass in on lan0 proto tcp from any to any port = telnet

Upon failover, the rule is automatically modified to:

pass in on lan1 proto tcp from any to any port = telnet

The rule will be changed back automatically on failback.

All rules that filter on interface names are changed at failover and failback in both the active

ruleset and the inactive ruleset. In addition, logging reflects the changes; the standby interface

name will appear in logs and reports when it is in use.

Remote Failover

HP-UX IPFilter is a system firewall and as such should be installed on end systems. Connections

to an IPFilter system that are lost during a remote failover must be reinitiated.

Install and configure HP-UX IPFilter on each node of a Serviceguard cluster that must be protected.

The IPFilter configuration for the primary node might be different from the configuration for

the backup nodes.

For example, the backup node might be multihomed and require a different ruleset. Also, rules

could be configured to filter on the static IP address of the receiving node that would be different

for each node in the cluster. Rules that filter on interface names will also be different on different

nodes in a cluster.

Using HP-UX IPFilter with Serviceguard 115