Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
1 Overview
HP-UX IPFilter, product number B9901AA version 15.01, is a TCP/IP packet filter suitable for
use as a system firewall. The version strings are as follows:
HP-UX IPFilter Version StringOS Version
A.11.31.15.01HP-UX 11i v3
A.11.23.15.01HP-UX 11i v2
A.11.11.15.01HP-UX 11i v1
HP-UX IPFilter functions as a firewall by examining and limiting packets allowed in and out of
an HP-UX system, which can be either an end node or an IP router. Although HP-UX IPFilter is
a superset of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product
(developed by Darren Reed), HP does not support some of the perimeter firewall features in that
release, such as firewall stealth (fastroute). If you are using features that are not supported
by HP, you can request support from the open source IPFilter web site at the following URL:
http://caligula.anu.edu.au/~avalon
For a complete list of commands and utilities that are not supported by HP, see “Supported and
Unsupported Features” (page 18).
HP-UX IPFilter version 15.01 is available from the HP Software Depot at the following URL:
http://www.software.hp.com.
Benefits and Features
HP-UX IPFilter provides the following key benefits:
Protects an individual host on an intranet against internal attacks
Protects an individual host on an intranet against external attacks that have breached
perimeter defenses
Provides an alternative to the restricted configuration of Internet Services
Protects a bastion host on the perimeter of a private network or in the “demilitarized zone”
(DMZ)
The following major features are included with HP-UX IPFilter:
Explicitly permit or deny a packet from passing through based on:
IP address or a range of IP addresses
IP protocol (IP/TCP/UDP)
IP fragments
IP options
IP security classes
TCP ports and port ranges
UDP ports and port ranges
ICMP message type and code
Combination of TCP flags
Network interface
Control incoming TCP connections through Dynamic Connection Allocation (DCA)
Support for NAT, which lets an intermediate HP-UX system act as a translator of IP addresses
and network ports
Send back ICMP error/TCP reset messages for blocked packets
Benefits and Features 17