HP-UX IPFilter Version 16 Administrator's Guide HP-UX 11i v2 and HP-UX 11i v3 HP Part Number: B9901-90044 Published: December 2008 Edition: 1.
© Copyright 2001-2008 Hewlett-Packard Development Company, L.P Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Table of Contents About This Document .....................................................................................................11 Intended Audience................................................................................................................................11 New and Changed Information in This Edition...................................................................................11 Typographic Conventions......................................................................
with short: Selecting Short Fragments.......................................................................................28 icmp-type and code: Filtering ICMP Traffic by Type and Code.....................................................28 keep state: Protecting TCP, UDP, and ICMP Sessions.....................................................................28 Allocating Memory for the State Table......................................................................................
Changing the Current Individual, Subnet, or IP Address Range Rule......................................49 Updating a Subnet or IP Address Range Rule...........................................................................50 Adding New keep limit Rules.........................................................................................................50 To Add a New Individual keep limit Rule:................................................................................
Using the log keyword to Configure IPFilter Logging...................................................................78 level log-level........................................................................................................................78 first..............................................................................................................................................78 body...................................................................................................
Passive FTP....................................................................................................................................101 12 HP-UX IPFilter and NFS and RPC...........................................................................103 Introduction........................................................................................................................................103 Configuring NFS to Use Fixed Ports..................................................................
example.7............................................................................................................................................125 example.8............................................................................................................................................125 example.9............................................................................................................................................125 example.10...........................................
List of Figures 13-1 13-2 13-3 13-4 13-5 13-6 13-7 E-1 E-2 IPFilter and IPSec ........................................................................................................................107 Scenario One................................................................................................................................107 Scenario Two................................................................................................................................108 Scenario Three.......
List of Tables 1 10-1 A-1 E-1 10 Publishing History Details............................................................................................................12 ICMP Type and Codes...................................................................................................................91 HP-UX IPFilter Supported Interfaces........................................................................................119 Processing Packets through a System.........................................
About This Document This document describes how to install, configure, and troubleshoot HP-UX IPFilter version 16. The latest version of this document can be found online at http://docs.hp.com. Intended Audience This document is intended for network managers or network security administrators who install, configure, and troubleshoot HP-UX IPFilter on HP 9000 systems. Administrators are expected to have knowledge of HP-UX operating system concepts, commands, and configuration.
WARNING A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems. CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software.
1 Overview HP-UX IPFilter, product number B9901AA version 16, is a TCP/IP packet filter suitable for use as a system firewall. The version strings are as follows: OS Version HP-UX IPFilter Version String HP-UX 11i v3 A.11.31.16 HP-UX 11i v2 A.11.23.16 HP-UX IPFilter functions as a firewall by examining and limiting packets allowed in and out of an HP-UX system, which can be either an end node or an IP router. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.
• • Drop all fragmented traffic if specified by rule Create extensive logs when required Supported and Unsupported Features See Appendix A (page 117) for a list of supported and unsupported features, including utilities and commands distributed with the open source IPFilter product but not supported by HP. This appendix also lists the network interfaces that are supported and unsupported with HP-UX IPFilter.
2 Installing HP-UX IPFilter This chapter describes the procedures to install and configure HP-UX IPFilter software on your system.
• HP-UX 11i v3 HP-UX IPFilter is installed and disabled by default. You must manually enable IPFilter the first time you install it, or enable it by configuring Bastille/ITS with the Sec20MngDMZ or Sec30DMZ install-time security level. • HP-UX 11i v2 HP-UX IPFilter is installed by default. When installed, HP-UX IPFilter is always enabled. Use the following steps to load HP-UX IPFilter software using the HP-UX swinstall program. 1. 2. Verify that you have superuser or appropriate capabilities.
11. Click OK on the Note window to reboot the system. The user interface disappears and the system reboots. 12. After the system reboots, check the log files in /var/adm/sw/swinstall.log and /var/ adm/sw/swagent.log to verify that the installation was successful. 13. On HP-UX 11i v3 systems, enable HP-UX IPFilter using the following command: /opt/ipf/bin/ipfilter -e NOTE: Do not run the HP-UX IPFilter product when the system is booted in single-user mode.
rc.config.d/netconf-ipv6 files. IP addresses not configured in the netconf or netconf-ipv6 file, such as Serviceguard relocatable IP addresses, are not re-enabled. Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a system has several IP interfaces or there is heavy network traffic, the time required to re-establish network connectivity might be interpreted as a network or card failure.
3 Configuring and Loading IPv4 Filter Rules This chapter describes how to configure IPFilter rules to filter IPv4 packets. It first describes how to use the basic rule syntax to create rules that pass or block IPv4 packets based on IP addresses, protocol, and port number. The chapter then describes additional options and features you can use to filter IPv4 packets.
IPv4 Filter Rules Configuration File The default HP-UX IPFilter IPv4 filter rules file is /etc/opt/ipf/ipf.conf. To specify an alternate IPv4 filter rules file name, set the IPF_CONF parameter in the IPFilter startup file, /etc/ rc.config.d/ipfconf. When HP-UX IPFilter is first installed, the /etc/opt/ipf/ipf.conf rules file is empty. Appendix B (page 121) contains example rules files you can use to create your ruleset.
Basic Rule Syntax: Specifying the Action, Direction, Protocol, IP Addresses, and Ports A simplified syntax for IPFilter rules is as follows: block|pass in|out [proto protocol] ip_selector The ip_selector can use the from and to keywords to specify IP addresses and the port keyword to specify port numbers: block|pass in|out [proto protocol] from ip_address[/prefix] [port = port] to ip_address[/prefix] [port = port] Alternatively, the ip_selector can be the keyword all to specify all IP addresses: block|pass
where: ip_address is the source or destination IPv4 address in decimal-dot notation. The IPv4 address can also be a decimal value, or a hexadecimal value with the prefix 0x. prefix is the decimal subnet prefix length. It can also be a network bitmask specified in dotted-decimal notation. any specifies any IP address. To specify an address range, enter the start address and end address, separated by a dash (-).
Operand Alias Result <= le true if port is less than or equal to the specified value >= ge true if port is greater than or equal to the specified value Service Names You can specify a service name defined in the /etc/services file instead of the port number when specifying a single port (when using the = operand).
Processing Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces IPFilter supports options to perform the following processing options: • Log packet information (log) • If the filter matches the packet, immediately apply the rule action and stop searching for rules (quick) • Apply the rule only to the specified interface (on) Option Order If you specify processing options, you must insert them after the in or out keyword: block|pass in|out [processing_options] [proto protocol] ip_
TIP: Using the quick keyword also enables you to order rules from most specific to least specific. on: Filtering by Network Interfaces The on keyword directs IPFilter to apply a rule to the specified network interface only. The syntax is for specifying the on keyword is as follows: on interface_name where: interface_name is a physical network interface name, such as lan0. NOTE: The interface_name must be a physical interface name, such as lan0. It cannot be a logical interface name, such as lan0:1.
Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information IPFilter supports options to filter packets based on the following protocol information: • • • • • • TCP flags (flags) IP options (with opt and with ipopt) IP fragments (with frag and with short) ICMP type and codes (icmp-type and code) State information (keep state) IP fragments (keep frags) Option Order If you specify protocol options, you must insert them after the ip_selector: block|pass in|out [processing_options]
If you omit /flags_checked, IPFilter checks all the TCP flags in the packet, so specifying flags S is equivalent to specifying flags S/AFPRSU, and matches TCP packets that have the SYN flag set and no other flags set. To accommodate applications or user protocols that also set the URG or PSH flags when initiating TCP connections, you can specify flags S/SAFR to allow SYN, SYN URG, or SYN PSH packets but not allow SYN ACK packets.
block in all with ipopts with frag and with short: Selecting Fragmented IP Packets The with frag and with short keywords enable you to select IP packet fragments and short IP packets. with frag: Selecting IP Packet Fragments The with frag keyword selects IP packet fragments (IP packets with a non-zero fragment offset). If you do not want IPFilter to pass IP packet fragments, specify the block action and the with frag keywords.
pass out quick proto tcp from 10.1.1.1/32 to any keep state pass out quick proto udp from 10.1.1.1/32 to any keep state pass out quick proto icmp from 10.1.1.1/32 to any keep state For more examples of correct uses of the keep state keyword, see Appendix B (page 121). Allocating Memory for the State Table The amount of memory allocated for the state table is determined by the kernel tunable parameter fr_statemax. In most deployments, the default value is sufficient.
NOTE: The keep state keyword can create state entries even if it detects packets for a connection that are part of the middle of a connection. The only exception to this is when the rule specifies flags S. In this case, IPFilter creates a state table entry only when a TCP packet with the SYN flag set is sent, and TCP sends these packets only at connection establishment time. Idle Timeout By default, IPFilter keeps TCP state table entries for idle, established TCP connections for 86,400 seconds (24 hours).
keep frags: Handling IP Fragments You can configure IPFilter to keep information about IP packets and to select subsequent IP packet fragments. The keep frags keyword lets you configure IPFilter to pass fragmented packets while blocking packets that might be forgeries or port scans trying to attack the system. The keep frags option is valid only when used with the keep state option. In the following example, the first two rules define the valid packets that are allowed to pass.
Sending Responses for Blocked TCP and UDP Packets When you use the block keyword, IPFilter drops the blocked packet and no response is sent to the remote system that sent the packet. This can be a security risk, because it might alert an attacker that a packet filter is running on the system. You can use the return-rst and return-icmp-as-dest keywords to send appropriate responses to blocked packets.
Improving Performance with Rule Groups Rule groups allow you to write your ruleset in a tree structure, instead of as a linear list, so if an incoming packet is unrelated to a set of rules, those rules will never be processed. This reduces IPFilter processing time on each packet and improves IPFilter system performance. The following is a simple rule group example: block out quick on lan1 all head 10 pass out quick proto tcp from any to 20.20.20.
Loading IPv4 Filter Rules By default, HP-UX IPFilter starts on bootup and loads IPv4 filter rules from the /etc/opt/ipf/ ipf.conf file. If you do not want IPv4 filter rules to load on bootup, place your rules in an alternate location and then manually load the rules using the ipf command.
You can use this command when IPFilter is running. Verifying IPv4 Filter Rules You can use the following commands to verify IPv4 filter rules: • Use the ipfstat -io command to list the active inbound and outbound rules. • Use the ipf -V command to verify that IPFilter is running. • Use the ipfstat -ioh command to list the active inbound and outbound rules and the number of hits, or matching packets, for each rule. For more information about IPFilter utilities, see Chapter 9 (page 85).
4 Configuring and Loading IPv6 Filter Rules This chapter describes how to configure and manage IPv6 filter rules. It contains the following sections: • • • • “IPv6 Filter Rules Configuration File” (page 37) “Features Not Supported with IPv6” (page 38) “IPv6 Filter Rule Syntax Differences” (page 38) “Loading IPv6 Filter Rules” (page 41) IPv6 Filter Rules Configuration File HP-UX IPFilter maintains IPv4 and IPv6 rules as separate rule sets.
Features Not Supported with IPv6 The following features are not supported with IPv6: • • • IPFilter NAT functionality and the associated commands and utilities. Dynamic Connection Allocation (DCA) on HP-UX 11i v1 systems. DCA is not supported with IPv6 addresses on HP-UX 11i v1 systems, but is supported on HP-UX 11i v2 and HP-UX 11i v3 systems. The scripts and files used to generate and load IPFilter rules for Remote Procedure Call (RPC) ports, including /etc/opt/ipf/rpc.ipf.
block|pass in|out [processing_options] [proto protocol] ip_selector with v6hdrs ipv6_header where: processing_options is one or more processing options, such as quick. See “Processing Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces” (page 24) for more information. ip_selector is the IP address specification using the keyword all, or the from and to keywords and IPv6 addresses and optional ports.
Sending ICMPv6 Responses IPFilter supports the return-icmpv6-as-dest and return-icmpv6 keywords for IPv6. These keywords are equivalent to the IPv4 keywords return-icmp-as-dest and return-icmp. The primary use for these keywords is to send an ICMPv6 message with type destination unreachable and code port unreachable in response to UDP packets sent to a blocked port.
Loading IPv6 Filter Rules By default, HP-UX IPFilter starts on bootup and loads IPv6 filter rules from the /etc/opt/ipf/ ipf6.conf file. If you do not want IPFilter to load IPv6 filter rules at bootup, place your rules in an alternate location and then manually load the rules using the ipf command. To load, flush, and switch the IPv6 filter rulesets, insert the -6 option before the other ipf ruleset options.
5 Configuring and Loading Dynamic Connection Allocation (DCA) Rules This chapter describes Dynamic Connection Allocation (DCA). DCA helps protect and mitigate against DOS attacks where an attacker attempts to overload a system with TCP connection requests. DCA uses stateful packet inspection to limit the number of incoming TCP connections to a system. This chapter describes DCA keywords and syntax. It also contains procedures for changing DCA rules dynamically and setting DCA mode at startup.
DCA with HP-UX IPFilter An HP-UX IPFilter system can act as a secure intermediary, tracking all incoming TCP connections to a system or network. DCA lets you limit incoming TCP connections passing through an IPFilter system. You can use DCA to limit the number of inbound connections based on the source IP address and optionally, the destination TCP port number. After a legal TCP connection is established, DCA uses TCP state information to allow subsequent packets for the connection to pass.
DCA Rule Syntax and Keywords The basic DCA syntax is as follows: pass in quick proto tcp from source_ip|any to dest_ip|any [port = port_num] keep limit limit_num The keep limit keywords indicate that this is a DCA rule.
Limiting Connections by Subnet The following rule is an example of a DCA rule that limits connections by IP subnet: pass in quick proto tcp from 192.168.5.0/24 to any port = 25 keep limit 4 This rule limits the maximum concurrent TCP connections to four from any individual host in subnet 192.168.5.0/24 to port 25 of any host.
The system host1 is allowed to open only 10 concurrent connections. IPFilter blocks any subsequent connection requests. Since log limit is set, each additional connection attempt is logged. The log limit option generates two types of log records: • • Alert Log records—created when a source IP address attempts to exceed its configured connection limit. Every time the connection limit is exceeded, IPFilter creates an alert log record.
In the previous rule, log limit freq 5 specifies that the log records should be printed for every five connections that exceeds the connection limit of 10. If 100 connections are established, IPFilter logs the eleventh, sixteenth, twenty-first, and so on. Cumulative limits are shared by different IP addresses and it is possible that IPFilter will not log connections from some source IP addresses. For example, the initial connections might come from ipaddr1 and the next 10 from ipaddr2.
Loading and Modifying DCA Rules The following sections describe how to load and modify DCA rules when HP-UX IPFilter is running. NOTE: HP recommends configuring a redundant rule (such as pass in all) in all DCA rule files. IPFilter does not process packets without a rule.
To change the number of connections allowed by a keep limit rule: 1. Create a new rule identical to the current rule except for a different keep limit count. When adding a new rule, IPFilter recognizes it as the update of an existing rule. Current limit entries made by the old rule are updated with the new connection limit when a new connection is processed. New connections are processed with the new rule. For example, the original rule is: pass in quick proto tcp from 14.13.45.0-14.13.45.
Integrating keep limit Rules The following procedure describes how to add a specific subnet or IP address range rule before an existing general subnet or IP address range rule. 1. Add the new subnet or IP address range rule. Be sure to re-enter the old subnet or IP address range rule exactly as it was entered before. When a new connection matches an existing limit entry, the new connection will be processed by the new subnet or IP address range rule.
Enabling and Disabling DCA To use DCA, you must enable DCA mode. You can enable or disable DCA mode using the ipf utility. If you want IPFilter to automatically enable DCA mode at system startup time, you must also modify the /etc/rc.config.d/ipfconf file. Enabling and Disabling DCA Using ipf There is a single DCA mode for both IPv4 and IPv6 addresses. You can use the ipf command to enable and disable DCA mode.
— — ipf -D interface_name ipf -m option • “Viewing IPFilter Statistics and Active Rules with ipfstat” (page 70). — ipfstat -L — ipfstat -vL — ipfstat -r group:rule • “Using ipmon to View IPFilter Log Entries” (page 80). — ipmon -r DCA also provides logging records that can serve as alert messages or as a summary of the connections made from a specific IP address. You can use the log records to identify IP addresses or subnets that you want to limit or block.
Monitoring and Allocating Memory for DCA Data IPFilter allocates entries in its state table for TCP connections that use a DCA rule. In addition, IPFilter keeps a limit table that counts the state table entries for a DCA rule. The amount of memory allocated for the state table is determined by the kernel tunable parameter fr_statemax.
6 Configuring and Loading Network Address Translation (NAT) Rules This chapter contains the following sections: • “NAT Rules Configuration File” (page 55) — “Format” (page 55) — “Rule Order and Processing” (page 55) • • • • • “NAT Keywords” (page 57) “map and portmap: Mapping Outbound Packets” (page 58) “rdr: Redirecting Inbound Packets” (page 60) “bimap: Bidirectional Mapping” (page 62) “Loading NAT Rules” (page 63) NAT Rules Configuration File IPFilter loads and evaluates NAT rules separately from filte
Outbound Packets When processing outbound packets, IPFilter evaluates rules in the following order: 1. Filter rules 2.
NAT Keywords IPFilter supports the following keywords for NAT (Network Address Translation) functionality: • map and mapblock The map and mapblock keywords rewrite or translate source addresses and port numbers for outbound packets. • rdr The rdr keyword redirects and translates destination addresses and port numbers for inbound packets. • bimap The bimap keyword translates addresses and port numbers for inbound and outbound packets.
map and portmap: Mapping Outbound Packets The map keyword rewrites or translates source addresses for outbound packets. When used with the portmap keyword, map also translates UDP or TCP port numbers. When an outbound packet matches the selectors in a map rule, IPFilter rewrites the source IP address with the specified target IP address. IPFilter also creates an entry in its map table, and checks this map table for both inbound and outbound packets.
map-block: Mapping to a Block of Addresses IPFilter NAT can map an IP address to a specific block of IP addresses in two ways. You can use the map-block keyword to statically map sessions from a host to a selected block of IP addresses. Configure the following rule: map-block lan0 192.168.1.0/24 -> 20.20.20.0/24 Any outgoing packet with an IP address beginning with 192.168.1 is mapped to an IP address beginning with 20.20.20.
rdr: Redirecting Inbound Packets The rdr keyword redirects inbound packets and rewrites the destination address. To redirect inbound packets, use the following syntax: rdr interface_name destination_ip -> target_ip where: interface_name is the name of the network interface used to receive the packets. For example, lan1. destination_ip is the destination IP address. This can a subnet address or 0.0.0.0/0 to match any address. target_ip is the target IP address.
When a packet comes in, IPFilter first evaluates the NAT rules. IPFilter rewrites the destination address and port number based on the NAT rule. IPFilter then evaluates the filter rules. With the rewritten destination address and port number, the packet matches the pass in rule. Using the rdr and round-robin Keywords for Load Balancing You can use the rdr keyword with the round-robin keyword to implement load-balancing systems and redirect traffic to multiple addresses.
bimap: Bidirectional Mapping The bimap keyword creates two map entries for the rule: one for inbound and one for outbound. Unlike the map keyword, an initial inbound packet is not required to create the outbound rule. The bimap keyword allows IPFilter to map IP addresses bidirectionally. You can use this when you want the IP address of a particular device on the NAT-supported system to appear to have a different IP address outside the system. For example: bimap lan0 192.168.1.1/32 -> 20.20.20.
Loading NAT Rules To load IPFilter NAT rules: 1. 2. Add NAT rules to the /etc/opt/ipf/ipnat.conf file, or to another NAT rules file you select. See “The ipnat Utility” (page 88) for information and instructions. Use the following command to load the NAT rules manually: ipnat -CF -f /etc/opt/ipf/ipnat.conf This command flushes any current mappings and NAT rules, and reads NAT rules from the specified rules file.
7 Tips for Securing Your System This chapter describes specific configuration procedures for HP-UX IPFilter. It contains concepts for basic and advanced firewall design using HP-UX IPFilter features.
Several services allow you to block by port number for security: • • • • • syslog on UDP port 514. portmap on TCP port 111 and UDP port 111. You can specify proto tcp/udp with port=111. lpd on TCP port 515. NFS on TCP port 2049 and UDP port 2049. You can also configure NFS to use static (fixed) port numbers for the NFS statd, mountd, and lockd services, as described in “Configuring NFS to Use Fixed Ports” (page 103) X11 on TCP port 6000.
The following ruleset blocks packets from private address blocks and the loopback address block received on lan0: block in quick block in quick block in quick block in quick pass in all on on on on lan0 lan0 lan0 lan0 from from from from 192.168.0.0/16 to any 172.16.0.0/12 to any 10.0.0.0/8 to any 127.0.0.0/8 to any If you have an internal network, you can allow only traffic destined for the network with source addresses from addresses within that network.
8 Troubleshooting HP-UX IPFilter This chapter contains the following sections: • “Viewing IPFilter Statistics and Active Rules with ipfstat” (page 70) • “Testing Rules with ipftest” (page 75) • “Logging IPFilter Packets” (page 78) • “Troubleshooting Tips” (page 81) • “Reporting Problems” (page 84) 69
Viewing IPFilter Statistics and Active Rules with ipfstat The ipfstat utility displays IPFilter statistics, including how many packets have been passed or blocked, whether the packets were logged or not, how many state entries have been made, and DCA statistics. You can also use options with ipfstat to display active rules. Syntax ipfstat [-options] Options For a complete list of ipfstat options, see the ipfstat manpage.
-v Sets verbose mode. Use for debugging. NOTE: Statistics counters cannot increment when both active in and out rulesets are empty. This is due to a performance optimization that bypasses IPFilter when there are no active rulesets present.
Set the -n option to display the rule number next to each rule. The rule number is displayed as @group:rule. This can help you determine which rules are incorrectly configured. For example: # ipfstat -on @0:1 pass out on lan0 from any to any @0:2 block out on ppp0 from any to any @0:3 pass out quick on ppp0 proto tcp/udp from 20.20.20.0/24 to any keep state keep frags The following example uses the -s option to display the state table.
Subnet Cumulative Unknown IP Total 3 5 9 19 No Memory Logged Records Log Failures Limits Added Add Failures 0 13 0 13 0 • • • • • • The first six lines display the number of current active connections of each described type. No Memory is the number of times a limit entry could not be created because no memory was available. If this is a non-zero, positive value, then the system memory should be checked and, if necessary, increased.
These limit entries are created through the default rule. See “keep limit: Limiting Connections” (page 45) for detailed information on the different types of limit entries. • • • • The Rule column displays the rule number that caused the creation of this limit entry. This information can in turn be used to get per-rule statistics using the ipfstat -r command. The third through sixth columns display IP-port pairs of the TCP connection.
Testing Rules with ipftest The ipftest utility enables you to test a ruleset without loading it. You do not need superuser capabilities to run ipftest. The ipftest utility tests a ruleset using a set of packet descriptors that simulate network traffic. The ipftest utility determines the action IPFilter would take for each packet and writes the packet and the action to stdout. When you generate simulated traffic, you can use example data obtained from a packet probe or similar monitor.
The ipftestutility supports additional options to specify the input format and to control packet testing. For a complete list of options and their functions, see the ipftest manpage. Example The following ruleset is used for this example: block in all pass in from 10.1.84.195 to any The input file contains the following packet descriptors: in on lan0 udp 10.1.84.195,16000 10.1.84.196,16000 in on lan1 udp 10.1.84.195,16000 10.1.85.196,16000 in on lan0 udp 10.1.84.195,16000 10.1.80.
block ip 28(20) 17 10.1.85.195,16000 > 10.1.80.196,16000 -------------input: out on lan0 udp 10.1.84.196,16000 10.1.84.195,16000 nomatch ip 28(20) 17 10.1.84.196,16000 > 10.1.84.195,16000 -------------input: out on lan1 udp 10.1.85.196,16000 10.1.84.195,16000 nomatch ip 28(20) 17 10.1.85.196,16000 > 10.1.84.195,16000 -------------input: out on lan0 udp 10.1.80.196,16000 10.1.84.195,16000 nomatch ip 28(20) 17 10.1.80.196,16000 > 10.1.84.195,16000 -------------input: out on lan0 udp 10.1.84.196,16000 10.1.85.
Logging IPFilter Packets This section describes how to use the log keyword in IPFilter rules to configure logging and how to use the ipmon utility to view IPFilter log records Using the log keyword to Configure IPFilter Logging To configure logging, specify the log keyword in an IPFilter rule after the in or out keyword, as described in “log: Logging Packets” (page 24). The log keyword directs IPFilter to log packets matching the rule to the IPFilter logging device, /dev/ipl.
The first option only applies to packets in a specific session. You can use the first option to monitor traffic on your system. For best results, use the first option in conjunction with rules that use pass and keep state. Example: pass in log first proto tcp from amy to any flags S keep state body You can use the body option with the log keyword to track parts of an IP packet in addition to the packet header information. IPFilter logs the first 128 bytes of a packet if the body option is specified.
Using ipmon to View IPFilter Log Entries The ipmon utility displays IPFilter log entries in human-readable format. To configure IPFilter to create log entries, specify the log keyword in IPFilter rules, as described in “Using the log keyword to Configure IPFilter Logging” (page 78). The ipmon utility can also display the state table log, the NAT log, or any combination of these three. You can run ipmon in the foreground or as a daemon that logs to syslog or a file.
• • • • • • • Field 3—Rule group number: rule number of the rule used for the packet, in the format @group_number:rule_number Field 4—Action; blocked (b) or passed (p) packet Field 5—Packet source, in the format ip_address,port Field 6—Packet destination, in the format ip_address,port Field 7 and 8—Protocol Field 9—Packet size Field 10—Flags set on packet Use the ipfstat -in command to determine the text of the rule that created the log entry.
If IPFilter is not enabled, enable it by entering the following command: ipfilter -e Load the rulesets after enabling IPFilter. See “Loading IPv4 Filter Rules” (page 34), On all HP-UX versions, verify that HP-UX IPFilter is running by entering the following command: ipf -V The running field should say yes. If it says no, then the HP-UX IPFilter module has not been loaded. It might have been explicitly unloaded. To load IPFilter again, use: /sbin/init.
In addition, you can use ipftest to test a set of filter rules without having to put them in place. See the ipftest(1) manpage for more information on this tool. • IPFilter rules changed after using Bastille/Install-Time-Security level. If you configure an IPFilter ruleset-using Install-Time-Security level, or use HP-UX Bastille interactively to reconfigure IPFilter rules, existing rules will be overwritten. This will change IPFilter behavior.
Reporting Problems Include the following information when reporting problems: • A complete description of the problem and any error messages.
9 HP-UX IPFilter Utilities This chapter describes utilities for administering IPFilter. It contains the following sections: • “The ipf Utility” (page 85) • “The ipnat Utility” (page 88) • “The ipfilter Utility (HP-UX 11i v3)” (page 89) NOTE: Most of the information in this chapter has been derived from the IP Filter-based Firewalls HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this document at http://www.obfuscation.org/ipf/.
-s Switches the active ruleset with the inactive ruleset. IPFilter maintains an active ruleset and an inactive ruleset. The active ruleset is the ruleset used for IPFilter operations, and the inactive ruleset is a supplementary, reserve ruleset. If you specify this option with the -6 option, this option affects the IPv6 rulesets; if you specify it without the -6 option, this option affects the IPv4 rulesets. -Fa Flushes all rules in the specified ruleset.
IPv4 IPFilter processing. -Q interface_name Queries if IPFilter processing is enabled or disabled for a given interface. If you specify this option with the -6 option, it queries the status of IPv6 IPFilter processing; if you specify this option without the -6 option, it queries the status of IPv4 IPFilter processing. The -E, -D, and -Q commands let you control IPFilter processing on a given interface. For example, ipf -D lan0 disables IPv4 IPFilter processing for traffic on lan0.
The ipnat Utility Use the ipnat utility to view and load NAT rules. The default NAT rules file is /etc/opt/ ipf/ipnat.conf. Syntax ipnat options full_path_name Options -f Reads rules from a specified rules file. -l Lists NAT rules and active mappings. -C Deletes the current ruleset. -F Flushes active mappings. -r Removes rules from the NAT rules file. Example Enter the following command: ipnat -CF -f /etc/opt/ipf/ipnat.
The ipfilter Utility (HP-UX 11i v3) The ipfilter utility enables, disables, and reports the IPFilter state. The ipfilter utility is supported only on HP-UX 11i v3. Syntax /opt/ipf/bin/ipfilter -d|e|q Options -e Enables the HP-UX IPFilter module. -d Disables the HP-UX IPFilter module. -q Queries the HP-UX IPFilter module and displays whether it is enabled or disabled. CAUTION: HP recommends that you enable or disable IPFilter when interrupting network connectivity is not disruptive.
10 HP-UX IPFilter and ICMP This chapter describes how to use HP-UX IPFilter to filter ICMP (ICMPv4) and ICMPv6 Packets. It also describes how to configure ICMP kernel parameters for optimal security.
Table 10-1 ICMP Type and Codes (continued) Type Code icmp-type Meaning icmp-code 4 9 net-prohib destination network administratively prohibited [RFC1256] 10 host-prohib destination host administratively prohibited [RFC1256] 11 net-tos network unreachable for TOS [RFC792] 12 host-tos host unreachable for TOS [RFC792] 13 filter-prohib prohibited by filtering [RFC1812] 14 host-preced host precedence violation [RFC1812] 15 cutoff-preced precendence cutoff in effect [RFC1812] 0 squenc
• • • “ICMP Redirects (ip_send_redirects)” (page 94) “PMTU Discovery (ip_pmtu_strategy)” (page 94) “ICMP Echo Request Broadcasts (ip_respond_to_echo_broadcast)” (page 95) This section also describes how to use ndd to set the ICMP parameter values (“Using ndd to Configure ICMPv4 Kernel Parameters” (page 95)). Dead Gateway Detection (ip_ire_gw_probe) The ip_ire_gw_probe parameter enables or disables dead (non-operational) gateway detection. This feature is useful in topologies with redundant gateways.
pass out quick proto icmp from any to any icmp-type 4 ICMP Redirects (ip_send_redirects) The ip_send_redirects parameter enables or disables ICMP redirect transmissions. ICMP redirects are generally used by hosts to communicate alternate or optimal routes. If a forged ICMP redirect message is processed by a host, its routing table can be compromised and it may route subsequent traffic through an unsafe route.
case, HP recommends that you set ip_pmtu_strategy to 3 if this value is supported on your system, or to 0 if it is not supported. Note that for IPv4, the link-local MTU can be as low as 68 bytes. Setting ip_pmtu_strategy to 0 or 3 can significantly decrease IP throughput. ICMP Echo Request Broadcasts (ip_respond_to_echo_broadcast) A ping message (ICMP echo request) to a broadcast address solicits responses from multiple systems and can generate a lot of network traffic.
Filtering ICMPv6 Packets by Type and Code (icmpv6–type and code) You can filter specific types of ICMPv6 traffic using the icmpv6-type and code keywords. You must specify proto icmpv6 to use the icmpv6-type and code keywords. A simplified rule syntax is as follows: block|pass in|out [processing_options] proto icmpv6 icmpv6-type type_value [code code_value] ip_selector where: processing_options is one or more processing options, such as quick.
Controlling ICMPv6 Router Discovery and Neighbor Discovery Messages By default, HP-UX IPFilter allows ICMPv6 Router Discovery and Neighbor Discovery messages to bypass (pass through) IPFilter rulesets and always pass in and out of the system.
11 HP-UX IPFilter and FTP This chapter describes how to filter FTP services. It contains the following sections: • “FTP Basics” (page 99) • “WU-FTPD on HP-UX” (page 99) • “Running an FTP Server” (page 100) • “Running an FTP Client” (page 100) CAUTION: NAT and FTP are incompatible. If you are using FTP on your IPFilter system, do not use NAT rules. FTP Basics The File Transfer Protocol (FTP) is a user-level protocol for transferring files between host computers.
WU-FTPD 2.6.1 is a core product on HP-UX 11i v2. Running an FTP Server This section describes active FTP and passive FTP server setup. Active FTP FTP Server Direction of Connection Initiated FTP Client port 21 (control port) <---------------- any port 1024 or higher port 20 (data port) ----------------> any port 1024 or higher On an FTP server using active FTP, configure IPFilter rules to allow control connections in and data connections out.
pass out quick proto tcp from client_ip port > 1023 to any port = 21 flags S keep state pass in quick proto tcp from any port 20 to client_ip port > 1023 flags S keep state block in from any to any block out from any to any NOTE: FTP Proxy is not supported by HP. For a complete list of unsupported utilities and commands, see “Unsupported Utilities” (page 118).
12 HP-UX IPFilter and NFS and RPC This chapter describes the use of NFS and RPC with IPFilter. It contains the following sections: • “Introduction” (page 103) • “Configuring NFS to Use Fixed Ports” (page 103) • “Using the rpc.ipfboot Script to Update IPFilter Rules” (page 104) Introduction The NFS service uses multiple daemons. The NFS daemon, nfsd, listens for requests on the static (fixed) TCP and UDP port number 2049. By default, the auxiliary daemons used for the NFS services—rpc.lockd (lockd), rpc.
# /sbin/init.d nfs.client start # /sbin/init.d nfs.server start 3. (Optional) Enter the following command to verify the ports used by the NFS auxiliary daemons: # rpcinfo -p Using the rpc.ipfboot Script to Update IPFilter Rules The /etc/opt/ipf/rpc.ipf/rpc.ipfboot script to queries the port mapper and updates IPFilter rules files with the appropriate port numbers.
By default, all RPC rules are configured as the first rules, for example, RPC_RULE_POSITION=1. The RPC rules are well defined in terms of IP addresses and ports and will have unique matches and, since they are quick rules, they should be at top. RPC Rules Configuration File This file specifies details based on which IPFilter RPC rules will be generated. /etc/opt/ipf/ rpc.ipf/rpc_ipfconf.sample is provided as an example. The /etc/opt/ipf/rpc.ipf/rpc_ipfconf file contains the client list and program list.
13 HP-UX IPFilter and IPSec This chapter describes how HP-UX IPFilter and HP-UX IPSec work together. It contains the following sections: • “IPFilter and IPSec Basics” (page 107) • “IPSec UDP Negotiation” (page 107) • “When Traffic Appears to Be Blocked” (page 108) • “Allowing Protocol 50 and Protocol 51 Traffic” (page 109) • “IPSec Gateways” (page 110) IPFilter and IPSec Basics IPSec and IPFilter will not panic or corrupt each other.
Before exchanging IPSec-encrypted or authenticated packets, IPSec negotiates security parameters using the Internet Key Exchange (IKE) protocol. The IKE protocol exchanges messages using UDP protocol port 500, or port 4500 if IPSec NAT traversal is used. If the IPFilter configuration is so broad that it blocks all UDP traffic, IPSec cannot complete IKE negotiations and packets that are configured to be secured by IPSec are dropped.
Allowing Protocol 50 and Protocol 51 Traffic IPSec uses Encapsulating Security Payload (ESP) to provide data confidentiality and Authentication Header (AH) to provide data integrity at the IP layer. Depending on a user’s IPSec traffic policy configuration, IPSec inserts ESP, AH, or both as protocol headers into an IP datagram that immediately follows an IP header. The protocol field of that IP header will be 50 (ESP) or 51 (AH) to indicate the next protocol.
NOTE: If IPSec is configured to use AH rather than ESP, you must configure IPFilter to let protocol 51 traffic pass. If IPSec uses nested AH and ESP, IPFilter can be configured to let only protocol 51 (ah) traffic pass. IPSec Gateways You can configure IPSec to encrypt and authenticate traffic to a gateway between two end hosts. A configuration that encrypts IPSec packets to a gateway is called an IPSec tunnel. IPFilter can coexist with IPSec tunnels without conflict.
14 HP-UX IPFilter and Serviceguard This chapter describes configuration procedures for HP-UX IPFilter used in a Serviceguard environment. It contains the following sections for using HP-UX IPFilter with Serviceguard: • • “Local Failover” (page 111) “Remote Failover” (page 112) — “Filtering on a Package IP Address” (page 112) — “Mandatory Rules” (page 112) • “DCA Remote Failover” (page 116) Using HP-UX IPFilter with Serviceguard HP-UX IPFilter supports local failover in a Serviceguard environment.
Remote Failover HP-UX IPFilter is a system firewall and as such should be installed on end systems. Connections to an IPFilter system that are lost during a remote failover must be reinitiated. Install and configure HP-UX IPFilter on each node of a Serviceguard cluster that must be protected. The IPFilter configuration for the primary node might be different from the configuration for the backup nodes. For example, the backup node might be multihomed and require a different ruleset.
NOTE: This list of HA services is not exhaustive. In addition, Serviceguard also uses dynamic ports (typically in the 49152–65535 range) for some cluster services. If you have adjusted the dynamic port range using kernel tunable parameters, alter your rules accordingly. This list does not include all HA applications (such as Continental Cluster). New HA applications might be developed that use port numbers in addition to the listed numbers.
# Allow hacl-poll for HA Cluster TCP polling (cmappserver for hpvm or APPSERV) pass in quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flag S keep state pass out quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flag S keep state To enable users on cluster nodes to run the cmscancl command, you must configure rules to allow remote shell packets (TCP port 514).
Cluster Object Manager If you are using a Cluster Object Manager (COM) on a node outside of the cluster to provide connections to Serviceguard Manager clients, each node in the cluster must have the following rules configured: pass in quick proto tcp from com_node to cluster_nodes port = 5302 flags S keep state pass in quick proto udp from com_node to cluster_nodes port = 5302 keep state pass out quick proto tcp from cluster_nodes to com_node port 49151 >< 65536 keep state pass out quick proto udp from clus
In the previous set of rules, cluster_nodes are all nodes in the cluster, smh_mgmt is the address of the SMH Management Station, and clog_tcp is the TCP port configured for the clog package. DCA Remote Failover Normally, IPFilter keep state rules are configured with the flags S parameter. This parameter instructs IPFilter to create a TCP state entry only when a SYN packet is parsed. To enable transparent failover between IPFilter DCA nodes, do not use flags S with keep limit rules.
A Product Specifications This appendix contains the following sections: • “Configuration Files” (page 117) • “Supported Utilities” (page 118) • “Unsupported Utilities” (page 118) • “Supported and Unsupported Interfaces” (page 118) Configuration Files HP-UX IPFilter uses the following configuration files: • /sbin/init.d/ipfboot The startup script for the ipf module. • /etc/rc.config.d/ipfconf Configuration file for the ipfboot startup script.
Unsupported Features HP-UX IPFilter does not support the following features: • Filtering loopback packets. The HP-UX transport stack is optimized so that loopback packets are not passed to any modules below IP, such as IPFilter. Loopback packets include the following: — Packets with the destination address in the range 127.0.0.0 - 127.255.255.
Table A-1 HP-UX IPFilter Supported Interfaces HP-UX IPFilter Version Supported Interfaces Version 15.01 and 16 • • • • • • • • • • Ethernet (10Base-T) Fast Ethernet (100Base-T) Gigabit Ethernet (1000Base-T) 10 Gigabit Ethernet APA VLAN FDDI Token Ring InfiniBand (supported on HP-UX 11i v2 only) X.25 (supported on HP-UX 11i v3 only) A.03.05.
B HP-UX IPFilter Configuration Examples This appendix provides IPFilter configuration examples. These examples are also included in the/opt/ipf/examples directory with HP-UX IPFilter. You can take useful rules that you find in these examples and copy them into /etc/opt/ipf/ipf.conf, which is your HP-UX IPFilter configuration file. These files are taken from the files provided with the open source IPFilter product. BASIC_1.
# pass in quick proto tcp from any to any port = ftp keep state group 201 pass in quick proto tcp from any to any port = ftp-data keep state group 201 pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 # # Allow NTP from any internal host to any external NTP server.
block in log quick from a.b.c.d/24 to any group 100 # #------------------------------------------------------# Localhost packets. # ================== # packets going in/out of network interfaces that aren’t on the # loopbackinterface should *NOT* exist block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 200 block in log quick from any to 127.0.0.
pass in from 10.1.2.1/32 to any # # # block all outbound packets. # block out from any to any # # # allow any host to send any IP packet out to a limited number # of hosts. # pass out from any to 10.1.3.1/32 pass out from any to 10.1.3.2/32 pass out from any to 10.1.3.3/32 pass out from any to 10.1.3.4/32 pass out from any to 10.1.3.5/32 pass out from any to 10.1.0.13/32 pass out from any to 10.1.1.1/32 pass out from any to 10.1.2.1/32 example.4 # # block all ICMP packets.
example.7 # block all ICMP packets. # block in proto icmp all # # allow in ICMP echos and echo-replies. # pass in on lan1 proto icmp from any to any icmp-type echo pass in on lan1 proto icmp from any to any icmp-type echorep # # block all ICMP destination unreachable packets which are # port-unreachables # block in on lan1 proto icmp from any to any icmp-type unreach code 3 example.
# through to host 10.1.1.2 if they are destined for port 6667. # pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are # destined for localhost # pass in proto udp from 10.2.2.2 port != 53 to localhost # # block any packet trying to get to X terminal ports, X:0 to # X:9 # block in proto tcp from any to any port 5999 >< 6010 # # allow any connections to be made,except to BSD # print/r-services this will also protect syslog.
# 10.3.3.1 # pass in on lan0 to lan1:10.3.3.1 proto icmp all example.sr # # # # # # # # # log all inbound packets on lan0 which has IP options present log in on lan0 from any to any with ipopts block any inbound packets on lan0 which are fragmented and "too short" to do any meaningful comparison on. This actually only applies to TCP packets which can be missing the flags/ports (depending on which part of the fragment you see).
block in on lan0 proto icmp from any to 10.1.3.0/24 block in on lan0 proto icmp from any to 10.1.1.0/24 block in on lan0 proto icmp from any to 10.1.2.0/24 firewall #Configuring IP Filter for firewall usage. ========================================= Step 1 - Block out "bad" IP packets. -----------------------------------Run a) b) c) the perl script "mkfilters".
pass out quick on lan0 proto udp from any to any port = 53 keep state block out on lan0 proto udp all block in on lan0 proto udp all BASIC.NAT #!/sbin/ipnat -f # # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # lan0 - (internal) network interface, address w.x.y.z/32 # # If only one valid IP address from the ISP, then use this # rule: # map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 map ppp0 w.x.y.z/24 -> a.b.c.
map lan1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 map lan1 10.1.0.0/16 -> 240.1.0.0/24 # # Redirection is triggered for input packets. # For example, to redirect FTP connections through this box # to the local ftp port and force them to connect # through a proxy, you would use: # rdr lan0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp nat-setup Configuring NAT on your network.
For example (using the above NAT rules), if you wanted to prevent all hosts in the 10.1.2.0/24 subnet from using NAT, you might use the following rule with ipf: block out on ppp0 from 10.1.2.0/24 to any block in on ppp0 from any to 10.1.2.0/24 and use these with ipnat: map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 map ppp0 10.1.0.0/16 -> 209.23.1.
C HP-UX IPFilter Kernel Tunable Parameters HP-UX IPFilter supports kernel tunable parameters that affect IPFilter behavior. This chapter describes the parameters and how to configure them.
fr_statemax The fr_statemax parameter specifies the maximum number of entries in the IPFilter state table. Name Range Default Value Configuration Utility fr_statemax 4,000 - 1,600,00 entries 800,000 entries HP-UX 11i v1: kmtune HP-UX 11i v2 and HP-UX 11i v3: kctune IPFilter allocates state table entries for packets using stateful (keep state) and Dynamic Connection Allocation (keep limit) rules. IPFilter also maintains a limit table to count the state table entries for DCA rules.
ipl_suppress The ipl_suppress parameter specifies the IPFilter logging behavior for identical log records. When this feature is enabled (the value is 1), IPFilter suppresses identical log records; instead of does not writing duplicate records, it writes the record and N where N is the number of times the record was repeated. If this feature is disabled, IPFilter writes all log records, including duplicate records.
Configuring Kernel Tunable Parameters Using ndd On HP-UX 11i v1 and HP-UX 11i v2 systems, use the ndd utility to configure and view the following IPFilter kernel tunable parameters: ipl_buffer_sz ipl_suppress ipl_logall cur_iplbuf_sz (read only) On HP-UX 11i v1, you can also use the ndd utility to configure and view the ipf_icmp6_passthru parameter, as described in “Controlling ICMPv6 Router Discovery and Neighbor Discovery Messages” (page 97).
D HP-UX IPFilter Static Linking This appendix provides instructions for statically linking the HP-UX IPFilter kernel modules to the kernel. Overview IPFilter has two kernel modules, pfil, a streams module and ipf, a WSIO pseudo driver. These are dynamically loadable kernel modules. When IPFilter is installed on an HP-UX system using swinstall, these two modules are loaded and configured as dynamically linked modules.
2. Use the kmsystem command to find the status of each module. See the kmsystem(1M) manpage for more detail. For example: $ kmsystem -q pfil Module Configured Loadable pfil Y Y The output is similar for the ipf module. This output shows that the pfil module is loadable. 3. Use the kmsystem command to set the loadable parameter to N. $ kmsystem -l N -c Y ipf $ kmsystem -q ipf Module Configured Loadable ipf Y N $ kmsystem -l N -c Y pfil 4.
E Performance Guidelines This appendix provides performance guidelines for the use of HP-UX IPFilter. You must take operating environment limits in to account when you configure HP-UX IPFilter. HP-UX does not enforce maximum configuration limits to provide flexibility. However, you must take care not to overburden HP-UX IPFilter systems or unpredictable consequences may result.
3. 4. Dedicate a CPU to each LAN card, if possible. Avoid configuring one CPU to share an application and a LAN, especially if the application is data or computationally intensive. Use the HP-UX Processor Set (PSET) utility to separate applications and LAN processing. If you are configuring an intermediate system, dedicate that system to HP-UX IPFilter. Do not share the system with other standalone applications.
pass pass pass pass pass pass in in in in in in quick proto tcp from 15.13.2.100 to any port = 23 quick proto tcp from 15.13.103.0/24 to any port = quick proto tcp from 15.13.104.0/24 to any port = quick proto tcp from 15.13.105.0/24 to any port = quick proto tcp from 15.13.106.
Figure E-2 System Operation Performance Monitoring The performance of an IPFilter system depends primarily on four major factors: • Number and length of rule searches (rule organization) • Types of rules • Network traffic • System configuration Monitor your system performance to ensure proper operation. HP recommends they following: • Use ipfstat -ioh to monitor the rule searches. If a rule has a high hit count, this indicates that the rule can be optimized.
Index A active rules list, 34 adding keep limit rules, 50 B bidirectional filtering in keyword, 21 out keyword, 21 bidirectional filtering with IPSec, 108 bimap keyword, 62 block keyword, 21 blocked traffic IPSec correcting, 108 C checklist installation and configuration, 15 commands unsupported, 118 configuration checklist, 15 DCA rules file, 44 IPv6 rules file, 37 NAT rules file, 55 rules file, 20 rules processing, 20, 55 verifying, 17 configuration examples, 121 configuring file conventions, 20, 34, 37
keeping state with, 30 icmp-type keyword, 28, 91 ICMPv6 IPv6, 38 in keyword, 21 inactive rules list, 34 installation checklist, 15 loading software, 16 prerequisites, 15 verifying, 17 integrating keep limit rules, 51 interface-specific filtering, 25 interfaces supported, 118 unsupported, 118 interoperability IPSec, 107 IP address filtering by, 21 limiting connections by, 45 ipf, 85 -6 option, 85 -A option, 34 -D option, 86 -E option, 86 -f option, 34, 41 -Fa option, 34, 86 -Fi option, 86 -Fo option, 86 -I o
K kcmodule, 17 static linking, 137 kctune, 135 keep frags keyword, 31 keep limit keyword, 45 keep limit rules adding, 50 adding a subnet or IP address range rule, 50 adding individual rule, 50 changing current rule, 49 extracting, 51 integrating, 51 rule hits, 53 updating, 49 updating a subnet or IP address range, 50 keep state ICMP, 30 keyword, 28, 29 state table dump, 72 when to use, 29 keeping state UDP, 30 with servers and flags, 29 kernel tunables configuring, 135 fr_statemax, 134 fr_tcpidletimeout, 13
pass keyword, 21 patch dependencies, 15 performance guidelines, 139 performance monitoring, 142 rule configuration, 140 rule loading, 140 system configuration, 139 traffic, 141 performance improvement, 33 performance information, 70 performance monitoring guidelines, 142 pfil module, 137 ping, 30 port keyword, 22 port number filtering, 22 portmap keyword, 58 prerequisites installation, 15 patch dependencies, 15 proto keyword, 21 protocol 50 and 51 traffic, 109 protocol-based filtering IPv6, 38 keep state k
TCP Wrapper, 67 testing IPFilter, 75 to keyword, 21 tracing layer 4, 84 tree structure, 33 troubleshooting, 81 rule change after using Bastille, 83 TTL counter, 72 tunneled packets IPv6, 39 U UDP keeping state with, 30 negotiation with IPSec, 107 UDP filtering, 22 uname, 15 uninstalling IPFilter software static linking, 137, 138 unsupported interfaces, 118 unsupported utilities and commands, 118 updating keep limit rules, 49 utilities ipf, 85 ipfstat, 70 ipftest, 75 ipmon, 80 ipnat, 88 unsupported, 118 W
