HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

Several services allow you to block by port number for security:

• syslog on UDP port 514.

• portmap on TCP port 111 and UDP port 111. You can specify proto tcp/udp with

port=111.

• lpd on TCP port 515.

• NFS on TCP port 2049 and UDP port 2049. You can also configure NFS to use static (fixed)

port numbers for the NFS statd, mountd, and lockd services, as described in “Configuring

NFS to Use Fixed Ports” (page 103)

• X11 on TCP port 6000.

To get a complete listing of ports being listed on, use netstat -a, or check /etc/services.

Creating a Complete Filter by Interface

When you create a ruleset, you should configure rules for all directions and all interfaces. The

default state of IPFilter is to pass packets both in and out. Instead of relying on the IPFilter default

behavior, make every ruleset as specific as possible, interface by interface, until all possibilities

are explicitly covered.

For example, if you have an IPFilter system with a lan1 interface, and a lan0 interface, configure

the following rules:

pass out quick on lan1

pass in quick on lan1

block out quick on lan0 from any to 192.168.0.0/16

block out quick on lan0 from any to 172.16.0.0/12

block out quick on lan0 from any to 10.0.0.0/8

pass out quick on lan0 from 20.20.20.0/24 to any

block out quick on lan0 from any to any

block in quick on lan0 from 192.168.0.0/16 to any

block in quick on lan0 from 172.16.0.0/12 to any

block in quick on lan0 from 10.0.0.0/8 to any

block in quick on lan0 from 127.0.0.0/8 to any

block in log quick on lan0 from 20.20.20.0/24 to any

pass in all

In this example, no restrictions are on traffic in and out on lan1. IPFilter has significant restrictions

for traffic both in and out of lan0.

NOTE: When setting up your ruleset, be sure that you add rules for all appropriate directions

and interfaces.

Combining IP Address and Network Interface Filtering

If you know that your system will send and receive packets only from specific IP addresses and

interfaces, configure your IPFilter rules to only allow traffic from those addresses and interfaces.

Also, there are addresses and subnets used for specific purposes on specific interfaces. The

following examples show rulesets that block packets coming to or from addresses that should

not have traffic.

For example, the IANA reserves the following address blocks for private addresses:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

In addition, the IANA reserves the 127.0.0.0/8 address block for loopback packets (packets sent

by the local system to the local system). By default, IP loopback packets are processed within

the IP module and bypass IPFilter. Therefore, it is good practice to block any inbound packets

with a loopback address as the source address

66 Tips for Securing Your System