Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
where:
ip_address is the source or destination IPv4 address in decimal-dot notation. The IPv4 address
can also be a decimal value, or a hexadecimal value with the prefix 0x.
prefix is the decimal subnet prefix length. It can also be a network bitmask specified in
dotted-decimal notation.
any specifies any IP address.
To specify an address range, enter the start address and end address, separated by a dash (-).
To specify packets that do not match an address, insert an exclamation point (!) in front of the
address.
You can also specify an individual host name instead of an IP address, but you cannot use an
exclamation point or range specification with host names.
Examples
The following rule blocks all inbound packets from the 10.10.10.0 subnet to any IP address:
block in from 10.10.10.0/24 to any
The following rule blocks all inbound packets from the addresses 10.10.10.1, 10.10.10.2, and
10.10.10.3 to any IP address:
block in from 10.10.10.1-10.10.10.3 to any
The following rule blocks all inbound packets with the destination address 192.168.2.1:
block in from any to 192.168.2.1
The following rule blocks all inbound packets that do not have the destination address 10.1.1.1:
block in from any to !10.1.1.1
all: Specifying All IP Addresses
The all keyword is and alternative to the from and to IP address selector and specifies all IP
addresses.
Example
block in all
IPFilter expands this rule to block in from any to any.
port: Specifying TCP and UDP Ports
You can use IPFilter to block traffic for specific TCP or UDP ports. This is useful for blocking
requests to network services such as telnet or rlogin, which are sent to the well-known or
IANA registered port number for each service.
For example, you can block incoming telnet service requests (which are sent to TCP port 23)
with the following rule:
block in proto tcp from any to any port = 23
You can also pass or block traffic on a range of ports, such as the range of dynamic port numbers
used by client telnet processes. The following is a list of operands you can use with port
numbers:
ResultAliasOperand
true if port is less than the specified valuelt<
true if port is greater than the specified valuegt>
true if port is equal to the specified valueeq=
true if port is not equal to the specified valuene!=
26 Configuring and Loading IPv4 Filter Rules