Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
11. Click OK on the Note window to reboot the system.
The user interface disappears and the system reboots.
12. After the system reboots, check the log files in /var/adm/sw/swinstall.log and /var/
adm/sw/swagent.log to verify that the installation was successful.
13. On HP-UX 11i v3 systems, enable HP-UX IPFilter using the following command:
/opt/ipf/bin/ipfilter -e
NOTE: Do not run the HP-UX IPFilter product when the system is booted in single-user mode.
Step 3: Verifying the Installation
Use the following commands to verify the HP-UX IPFilter installation.
Verify that HP-UX IPFilter is running using the -V option of the ipf command:
ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.11.31.15) (312)
Kernel: HP IP Filter: v3.5alpha5 (A.11.31.15)
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Verify that HP-UX IPFilter has been correctly loaded.
On HP-UX 11i v2 and HP-UX 11i v3, enter the following commands:
# kcmodule -v -q pfil
# kcmodule -v -q ipf
Verify that the state is loaded.
Step 4: (Optional) Modifying Kernel Tunable Parameters
HP-UX IPFilter supports kernel tunable parameters that affect IPFilter logging behavior and the
IPFilter state table. For information about modifying them, see Appendix C (page 133).
In addition, Chapter 10 (page 91) describes system kernel tunable parameters that control ICMP
features and how to configure them to optimize security.
NOTE: The HP-UX IPFilter installation script disables subnet broadcast packet forwarding by
setting the kernel tunable parameter ip_forward_directed_broadcasts to 0. HP
recommends that you leave this feature disabled unless you have a specific need for your node
to forward subnet broadcast packets. Attackers can use subnet broadcast packet forwarding to
amplify attacks in Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Removing HP-UX IPFilter
Use the following procedure to remove HP-UX IPFilter.
1. On HP-UX 11i v3 systems, disable HP-UX IPFilter:
/opt/ipf/bin/ipfilter -d
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX
IPFilter when critical network applications are running.
Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up
only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/
Step 3: Verifying the Installation 17