HP-UX IPFilter Version 15.01 Administrator's Guide

Loading IPv6 Filter Rules

By default, HP-UX IPFilter starts on bootup and loads IPv6 filter rules from the

/etc/opt/ipf/ipf6.conf file. If you do not want IPFilter to load IPv6 filter rules at bootup,

place your rules in an alternate location and then manually load the rules using the ipf command.

To load, flush, and switch the IPv6 filter rulesets, insert the -6 option before the other ipf ruleset

options. For example, to add new IPv6 rules to your ruleset from a file, use the -6 and -f

options with the ipf command:

ipf -6 -f rules_file

NOTE: When you load a ruleset, the new rules affect all matching packets immediately, including

packets for established connections. For example, if you load a new rule that blocks telnet

packets, IPFilter will block all telnet packets, including packets for established telnet

connections. The only exception to this behavior is for packets that match entries in the IPFilter

state table. IPFilter will continue to apply the existing action (pass or block) for these packets

until the state table entry times out or is deleted (such as when the connection is closed).

For more examples of commands to manage and load rulesets, see “Loading IPv4 Filter Rules”

(page 38) and “The ipf Utility” (page 89).

Verifying IPv6 Filter Rules

You can use the following commands to verify IPv6 filter rules:

• Use the ipf -V command to verify that IPFilter is running.

• Use the ipfstat -6io command to list the active inbound and outbound rules.

• Use the ipfstat -6ioh command to list the active inbound and outbound rules and the

number of hits, or matching packets, for each rule.

For more information about IPFilter utilities, see Chapter 9 (page 89).

Loading IPv6 Filter Rules 45