HP-UX IPFilter Version 15.01 Administrator's Guide

Filtering on a Package IP Address
HP-UX IPFilter can filter on a package IP address. The package IP address is an IP address that
corresponds to a logical network interface.
For example, a telnet connection is made to the primary cluster node with a package IP address
of 17.13.24.105. You want to configure IPFilter to let telnet traffic through. Configure the
following rule for incoming telnet connections made to the telnet package:
pass in proto tcp from any to 17.13.24.105 flags S keep state
You can replace 17.13.24.105 with the package name in this rule if the package has been configured
properly and has a DNS entry.
Configure this rule on the backup nodes as well. This ensures that when the telnet package
fails to a backup, there is a rule on the backup that lets telnet connections pass through as
required.
This type of configuration can be used with any package.
Mandatory Rules
Each node in a Serviceguard cluster has specific rules that must be configured. These rules ensure
that:
Normal remote failovers are not disrupted.
No false remote failovers occur because traffic is blocked by IPFilter that should not be
blocked.
The classes of mandatory rules cover:
Intra-Cluster Communication
Quorum Server
Remote Command Execution
Cluster Object Manager
Serviceguard Manager
The following services should not be blocked:
hacl-qs 1238/tcp # High Availability (HA) Quorum Server
clvm-cfg 1476/tcp # HA LVM configuration
hacl-hb 5300/tcp # High Availability (HA) Cluster heartbeat
hacl-hb 5300/udp # High Availability (HA) Cluster heartbeat
hacl-gs 5301/tcp # HA Cluster General Services
hacl-cfg 5302/tcp # HA Cluster TCP configuration
hacl-cfg 5302/udp # HA Cluster UDP configuration
hacl-probe 5303/tcp # HA Cluster TCP probe
hacl-probe 5303/udp # HA Cluster UDP probe
hacl-local 5304/tcp # HA Cluster commands
hacl-test 5305/tcp # HA Cluster test
hacl-dlm 5408/tcp # HA Cluster distributed lock manager
116 HP-UX IPFilter and Serviceguard