HP-UX IPFilter Version 15.01 Administrator's Guide
TIP: Using the quick keyword also enables you to order rules from most specific to least
specific.
on: Filtering by Network Interfaces
The on keyword directs IPFilter to apply a rule to the specified network interface only.
The syntax is for specifying the on keyword is as follows:
on interface_name
where:
interface_name is a physical network interface name, such as lan0.
NOTE: The interface_name must be a physical interface name, such as lan0. It cannot be
a logical interface name, such as lan0:1.
For example, your system has two interfaces, lan0 and lan1, and you want to block packets
received on the lan0 interface. You configure the following rules:
block in quick on lan0 all
pass in all
The on keyword in the first rule specifies that the rule applies only to packets processed for the
named interface, lan0; because the direction for this rule is in, the rule applies only to inbound
packets received on lan0, which IPFilter blocks. If the system receives an inbound packets on
another interfaces, such as lan1, the first rule does not match. The second rule matches and
IPFilter allows the packet to pass.
You can also filter traffic using both IP addresses and network interface names. For example,
you want IPFilter to allow all inbound packets received from the subnet 192.168.0.0/16 only
if they are received on lan1. Configure the following rules:
pass in quick on lan1 from 192.168.0.0/16 to any
block in from 192.168.0.0/16 to any
The first rule allows packets from the 192.168.0.0/16 subnet to pass if they are received on
the lan1 interface. The on lan1 specification directs IPFilter to pass these packets only if they
are received on the lan1 interface. If the system receives a packet from the 192.168.0.0/16
subnet on any other interface, the packet matches the second rule and IPFilter blocks it.
Processing Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces 29