HP-UX IPFilter V17 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3 HP Part Number: 5900-0395A Published: October 2009 Edition: 1
© Copyright 2001-2009 Hewlett-Packard Development Company, L.P Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Table of Contents About This Document .....................................................................................................13 Intended Audience................................................................................................................................13 New and Changed Information in This Edition...................................................................................13 New Features in this Release.................................................................
3 Configuring and Loading IPv4 Filter Rules................................................................25 3.1 IPv4 Filter Rules Configuration File................................................................................................27 3.1.1 Format.....................................................................................................................................27 3.1.2 Rule Order and Processing....................................................................................
4 Configuring and Loading IPv6 Filter Rules................................................................45 4.1 IPv6 Filter Rules Configuration File................................................................................................45 4.2 Features Not Supported with IPv6..................................................................................................46 4.3 IPv6 Filter Rule Syntax Differences.......................................................................................
.1.2.1.1 Inbound Packets......................................................................................................63 6.1.2.1.2 Outbound Packets...................................................................................................64 6.2 NAT Keywords................................................................................................................................65 6.2.1 Rule Examples........................................................................................
9.3.2.2 Options............................................................................................................................90 9.3.2.3 Examples.........................................................................................................................90 9.3.2.4 ipmon and DCA Logging................................................................................................91 9.3.3 Analyzing IPFilter Log Events...................................................................
12.4.1 Active FTP............................................................................................................................110 12.4.2 Passive FTP..........................................................................................................................111 13 HP-UX IPFilter and NFS and RPC...........................................................................113 13.1 Introduction.............................................................................................
B.8 example.6.......................................................................................................................................134 B.9 example.7.......................................................................................................................................135 B.10 example.8.....................................................................................................................................135 B.11 example.9...........................................
List of Figures 14-1 14-2 14-3 14-4 14-5 14-6 14-7 E-1 E-2 10 IPFilter and IPSec ........................................................................................................................117 Scenario One................................................................................................................................117 Scenario Two................................................................................................................................118 Scenario Three...
List of Tables 1 11-1 A-1 E-1 Publishing History Details............................................................................................................17 ICMP Type and Codes.................................................................................................................101 HP-UX IPFilter Supported Interfaces........................................................................................129 Processing Packets through a System..............................................
About This Document This document describes how to install, configure, and troubleshoot HP-UX IPFilter version 17. The latest version of this document can be found online at http://docs.hp.com. Intended Audience This document is intended for network managers or network security administrators who install, configure, and troubleshoot HP-UX IPFilter on HP 9000 systems. Administrators are expected to have knowledge of HP-UX operating system concepts, commands, and configuration.
Fixes in this Release Fixes for HP-UX 11i v3 QXCR1000923645—Provide tunable to enable/disable NAT functionality. The new ipnat_enable tunable is provided to enable/disable NAT functionality. By default, this tunable is set to 1. If you do not use NAT functionality, disabling this tunable will improve performance. QXCR1000923671—Enhancement to list interfaces not covered. The -l option to ipfilter is provided. This option lists the interfaces and shows which are protected or unprotected by IPFilter.
/usr/bin/ndd -set /dev/ip ip_forward_directed_broadcasts 1 You can specify ndd tunable values in the /etc/rc.config.d/nddconf file. Prior to this fix, if you set the ip_forward_directed_broadcasts value to "0" in nddconf, the ipfboot stop script reset the value back to "1" without referring to the nddconf file. Now, the /etc/rc.config.d/nddconf file is checked when ipfboot stop is executed.
Command A command name or qualified command phrase. Computer output Text displayed by the computer. Ctrl+x A key sequence. A sequence such as Ctrl+x indicates that you must hold down the key labeled Ctrl while you press another key or mouse button. ENVIRONMENT VARIABLE The name of an environment variable, for example, PATH. [ERROR NAME] The name of an error, usually returned in the errno variable. Key The name of a keyboard key. Return and Enter both refer to the same key.
Publishing History Table 1 Publishing History Details Manufacturing Part Number Supported Operating Systems Supported Versions Publication Date 5900–0395 11i v2 11i v3 A.11.23.17 October 2009 B9901-90044 11i v2 11i v3 A.11.23.16 A.11.31.16 December 2008 B9901-90042 11i v1 11i v2 A.11.11.15.01 A.11.23.15.01 October 2007 11i v3 A.11.31.15.01 11i v1 A.03.05.14 December 2006 B9901-90031 A.11.31.17 11i v2 5991-7705 11i v3 A.03.05.13 January 2007 B9901-90021 11.0 11i v1 A.03.05.
1 Overview HP-UX IPFilter, product number B9901AA version 17, is a TCP/IP packet filter suitable for use as a system firewall. The version strings are as follows: OS Version HP-UX IPFilter Version String HP-UX 11i v3 A.11.31.17 HP-UX 11i v2 A.11.23.17 HP-UX IPFilter functions as a firewall by examining and limiting packets allowed in and out of an HP-UX system, which can be either an end node or an IP router. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.
• • Drop all fragmented traffic if specified by rule Create extensive logs when required 1.2 Supported and Unsupported Features See Appendix A (page 127) for a list of supported and unsupported features, including utilities and commands distributed with the open source IPFilter product but not supported by HP. This appendix also lists the network interfaces that are supported and unsupported with HP-UX IPFilter.
2 Installing HP-UX IPFilter This chapter describes the procedures to install and configure HP-UX IPFilter software on your system.
• HP-UX 11i v2 HP-UX IPFilter is installed by default. When installed, HP-UX IPFilter is always enabled. Use the following steps to load HP-UX IPFilter software using the HP-UX swinstall program. 1. 2. Verify that you have superuser or appropriate capabilities.
13. On HP-UX 11i v3 systems, enable HP-UX IPFilter using the following command: /opt/ipf/bin/ipfilter -e NOTE: Do not run the HP-UX IPFilter product when the system is booted in single-user mode. 2.4 Step 3: Verifying the Installation Use the following commands to verify the HP-UX IPFilter installation. • Verify that HP-UX IPFilter is running using the -V option of the ipf command: ipf -V ipf: HP IP Filter: v3.5alpha5 (A.11.31.17) (488) Kernel: HP IP Filter: v3.5alpha5 (A.11.31.
re-establish network connectivity might be interpreted as a network or card failure. For example, Serviceguard might interpret a network interruption as a card failure, which can cause it to reform the cluster. 2.
3 Configuring and Loading IPv4 Filter Rules This chapter describes how to configure IPFilter rules to filter IPv4 packets. It first describes how to use the basic rule syntax to create rules that pass or block IPv4 packets based on IP addresses, protocol, and port number. The chapter then describes additional options and features you can use to filter IPv4 packets.
NOTE: Most of the information in this chapter has been derived from the IPFilter-based Firewalls HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this document at the following URL: http://www.obfuscation.
3.1 IPv4 Filter Rules Configuration File The default HP-UX IPFilter IPv4 filter rules file is /etc/opt/ipf/ipf.conf. To specify an alternate IPv4 filter rules file name, set the IPF_CONF parameter in the IPFilter startup file, /etc/ rc.config.d/ipfconf. When HP-UX IPFilter is first installed, the /etc/opt/ipf/ipf.conf rules file is empty. Appendix B (page 131) contains example rules files you can use to create your ruleset. 3.1.
3.
where: ip_address is the source or destination IPv4 address in decimal-dot notation. The IPv4 address can also be a decimal value, or a hexadecimal value with the prefix 0x. prefix is the decimal subnet prefix length. It can also be a network bitmask specified in dotted-decimal notation. any specifies any IP address. To specify an address range, enter the start address and end address, separated by a dash (-).
Operand Alias Result <= le true if port is less than or equal to the specified value >= ge true if port is greater than or equal to the specified value 3.2.5.1 Service Names You can specify a service name defined in the /etc/services file instead of the port number when specifying a single port (when using the = operand). For example, you can configure the following rule: block in proto tcp from any to any port = telnet 3.
3.4 Processing Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces IPFilter supports options to perform the following processing options: • Log packet information (log) • If the filter matches the packet, immediately apply the rule action and stop searching for rules (quick) • Apply the rule only to the specified interface (on) 3.4.
TIP: Using the quick keyword also enables you to order rules from most specific to least specific. 3.4.4 on: Filtering by Network Interfaces The on keyword directs IPFilter to apply a rule to the specified network interface only. The syntax is for specifying the on keyword is as follows: on interface_name where: interface_name is a physical network interface name, such as lan0. NOTE: The interface_name must be a physical interface name, such as lan0. It cannot be a logical interface name, such as lan0:1.
3.5 Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information IPFilter supports options to filter packets based on the following protocol information: • • • • • • TCP flags (flags) IP options (with opt and with ipopt) IP fragments (with frag and with short) ICMP type and codes (icmp-type and code) State information (keep state) IP fragments (keep frags) 3.5.
If you omit /flags_checked, IPFilter checks all the TCP flags in the packet, so specifying flags S is equivalent to specifying flags S/AFPRSU, and matches TCP packets that have the SYN flag set and no other flags set. To accommodate applications or user protocols that also set the URG or PSH flags when initiating TCP connections, you can specify flags S/SAFR to allow SYN, SYN URG, or SYN PSH packets but not allow SYN ACK packets.
block in all with ipopts 3.5.4 with frag and with short: Selecting Fragmented IP Packets The with frag and with short keywords enable you to select IP packet fragments and short IP packets. 3.5.4.1 with frag: Selecting IP Packet Fragments The with frag keyword selects IP packet fragments (IP packets with a non-zero fragment offset). If you do not want IPFilter to pass IP packet fragments, specify the block action and the with frag keywords. For example: block in all with frag 3.5.4.
pass out quick proto tcp from 10.1.1.1/32 to any keep state pass out quick proto udp from 10.1.1.1/32 to any keep state pass out quick proto icmp from 10.1.1.1/32 to any keep state For more examples of correct uses of the keep state keyword, see Appendix B (page 131). 3.5.6.1 Allocating Memory for the State Table The amount of memory allocated for the state table is determined by the kernel tunable parameter fr_statemax. In most deployments, the default value is sufficient.
NOTE: The keep state keyword can create state entries even if it detects packets for a connection that are part of the middle of a connection. The only exception to this is when the rule specifies flags S. In this case, IPFilter creates a state table entry only when a TCP packet with the SYN flag set is sent, and TCP sends these packets only at connection establishment time. 3.5.6.2.
• • • ICMP—60 seconds UDP—120 seconds TCP—120 seconds You can override the TCP default value when the connection is closed using the fr_tcptimewait tunable, or by using the age option on a per-rule basis. The value specified in the rule gets priority over the tunable value set at system level. The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout.
3.6 Sending Responses for Blocked TCP and UDP Packets When you use the block keyword, IPFilter drops the blocked packet and no response is sent to the remote system that sent the packet. This can be a security risk, because it might alert an attacker that a packet filter is running on the system. You can use the return-rst and return-icmp-as-dest keywords to send appropriate responses to blocked packets. 3.6.
3.7 Improving Performance with Rule Groups Rule groups allow you to write your ruleset in a tree structure, instead of as a linear list, so if an incoming packet is unrelated to a set of rules, those rules will never be processed. This reduces IPFilter processing time on each packet and improves IPFilter system performance. The following is a simple rule group example: block out quick on lan1 all head 10 pass out quick proto tcp from any to 20.20.20.
block in quick on lan0 all head external-group block in quick on lan0 from 192.168.0.0/16 to any group external-group block in quick on lan0 from 172.16.0.0/12 to any group external-group block out quick on lan1 all head DMZ-group pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group DMZ-group pass out quick on lan1 proto tcp from any to 20.20.20.
3.8 Loading IPv4 Filter Rules By default, HP-UX IPFilter starts on bootup and loads IPv4 filter rules from the /etc/opt/ipf/ ipf.conf file. If you do not want IPv4 filter rules to load on bootup, place your rules in an alternate location and then manually load the rules using the ipf command.
• • Use the ipf -V command to verify that IPFilter is running. Use the ipfstat -ioh command to list the active inbound and outbound rules and the number of hits, or matching packets, for each rule. For more information about IPFilter utilities, see Chapter 10 (page 95). 3.8.2 Removing IPFilter Rules You can use the following command to remove rules that are listed in a file from the ruleset: ipf -r -f delete_rule_file You can use this command when IPFilter is running. 3.9 Rule Tags 3.9.
4 Configuring and Loading IPv6 Filter Rules This chapter describes how to configure and manage IPv6 filter rules. It contains the following sections: • • • • “IPv6 Filter Rules Configuration File” (page 45) “Features Not Supported with IPv6” (page 46) “IPv6 Filter Rule Syntax Differences” (page 46) “Loading IPv6 Filter Rules” (page 49) 4.1 IPv6 Filter Rules Configuration File HP-UX IPFilter maintains IPv4 and IPv6 rules as separate rule sets.
4.2 Features Not Supported with IPv6 The following features are not supported with IPv6: • • • • • • IPFilter NAT functionality and the associated commands and utilities. Dynamic Connection Allocation (DCA) on HP-UX 11i v1 systems. DCA is not supported with IPv6 addresses on HP-UX 11i v1 systems, but is supported on HP-UX 11i v2 and HP-UX 11i v3 systems. The scripts and files used to generate and load IPFilter rules for Remote Procedure Call (RPC) ports, including /etc/opt/ipf/rpc.ipf.
4.3.3 IPv6 Extension Headers You can block or pass packets according to IPv6 extension headers. A simplified rule syntax is as follows block|pass in|out [processing_options] [proto protocol] ip_selector with v6hdrs ipv6_header where: processing_options is one or more processing options, such as quick. See “Processing Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces” (page 31) for more information.
4.3.5 Filtering IPv6 Fragments You can filter IPv6 fragments by specifying the v6hdrs frags keywords. Use the following rule to filter IPv6 fragmented traffic: block in proto udp from any to any with v6hdrs frags Unlike IPv4, IPFilter does not maintain a fragment cache for IPv6 fragments. 4.3.6 Sending ICMPv6 Responses IPFilter supports the return-icmpv6-as-dest and return-icmpv6 keywords for IPv6. These keywords are equivalent to the IPv4 keywords return-icmp-as-dest and return-icmp.
4.4 Loading IPv6 Filter Rules By default, HP-UX IPFilter starts on bootup and loads IPv6 filter rules from the /etc/opt/ipf/ ipf6.conf file. If you do not want IPFilter to load IPv6 filter rules at bootup, place your rules in an alternate location and then manually load the rules using the ipf command. To load, flush, and switch the IPv6 filter rulesets, insert the -6 option before the other ipf ruleset options.
5 Configuring and Loading Dynamic Connection Allocation (DCA) Rules This chapter describes Dynamic Connection Allocation (DCA). DCA helps protect and mitigate against DOS attacks where an attacker attempts to overload a system with TCP connection requests. DCA uses stateful packet inspection to limit the number of incoming TCP connections to a system. This chapter describes DCA keywords and syntax. It also contains procedures for changing DCA rules dynamically and setting DCA mode at startup.
5.1 DCA with HP-UX IPFilter An HP-UX IPFilter system can act as a secure intermediary, tracking all incoming TCP connections to a system or network. DCA lets you limit incoming TCP connections passing through an IPFilter system. You can use DCA to limit the number of inbound connections based on the source IP address and optionally, the destination TCP port number. After a legal TCP connection is established, DCA uses TCP state information to allow subsequent packets for the connection to pass.
5.3 DCA Rule Syntax and Keywords The basic DCA syntax is as follows: pass in quick proto tcp from source_ip|any to dest_ip|any [port = port_num] keep limit limit_num The keep limit keywords indicate that this is a DCA rule.
5.4.2 Limiting Connections by Subnet The following rule is an example of a DCA rule that limits connections by IP subnet: pass in quick proto tcp from 192.168.5.0/24 to any port = 25 keep limit 4 This rule limits the maximum concurrent TCP connections to four from any individual host in subnet 192.168.5.0/24 to port 25 of any host. 5.4.
The system host1 is allowed to open only 10 concurrent connections. IPFilter blocks any subsequent connection requests. Since log limit is set, each additional connection attempt is logged. The log limit option generates two types of log records: • • Alert Log records—created when a source IP address attempts to exceed its configured connection limit. Every time the connection limit is exceeded, IPFilter creates an alert log record.
In the previous rule, log limit freq 5 specifies that the log records should be printed for every five connections that exceeds the connection limit of 10. If 100 connections are established, IPFilter logs the eleventh, sixteenth, twenty-first, and so on. Cumulative limits are shared by different IP addresses and it is possible that IPFilter will not log connections from some source IP addresses. For example, the initial connections might come from ipaddr1 and the next 10 from ipaddr2.
5.9 Loading and Modifying DCA Rules The following sections describe how to load and modify DCA rules when HP-UX IPFilter is running. NOTE: HP recommends configuring a redundant rule (such as pass in all) in all DCA rule files. IPFilter does not process packets without a rule.
1. Create a new rule identical to the current rule except for a different keep limit count. When adding a new rule, IPFilter recognizes it as the update of an existing rule. Current limit entries made by the old rule are updated with the new connection limit when a new connection is processed. New connections are processed with the new rule. For example, the original rule is: pass in quick proto tcp from 14.13.45.0-14.13.45.
1. Add the new subnet or IP address range rule. Be sure to re-enter the old subnet or IP address range rule exactly as it was entered before. When a new connection matches an existing limit entry, the new connection will be processed by the new subnet or IP address range rule. The subnet or IP address range can be cumulative or noncumulative. 5.9.4 Extracting an Individual Rule from a Subnet Rule To extract an individual rule from a subnet rule: 1. Add the new rule on the line before the subnet rule.
5.10 Enabling and Disabling DCA To use DCA, you must enable DCA mode. You can enable or disable DCA mode using the ipf utility. If you want IPFilter to automatically enable DCA mode at system startup time, you must also modify the /etc/rc.config.d/ipfconf file. 5.10.1 Enabling and Disabling DCA Using ipf There is a single DCA mode for both IPv4 and IPv6 addresses. You can use the ipf command to enable and disable DCA mode.
DCA also provides logging records that can serve as alert messages or as a summary of the connections made from a specific IP address. You can use the log records to identify IP addresses or subnets that you want to limit or block. 5.11.1 keep limit Rules and Rule Hits Each time IPFilter processes a packet that matches a rule, IPFilter increments the hit count for the matching rule, whether or not the rule is the final rule (the rule used). For example: • • A packet matches a non-quick rule.
5.12 Monitoring and Allocating Memory for DCA Data IPFilter allocates entries in its state table for TCP connections that use a DCA rule. In addition, IPFilter keeps a limit table that counts the state table entries for a DCA rule. The amount of memory allocated for the state table is determined by the kernel tunable parameter fr_statemax.
6 Configuring and Loading Network Address Translation (NAT) Rules This chapter contains the following sections: • “NAT Rules Configuration File” (page 63) — “Format” (page 63) — “Rule Order and Processing” (page 63) • • • “NAT Keywords” (page 65) “map and portmap: Mapping Outbound Packets” (page 66) “rdr: Redirecting Inbound Packets” (page 68) — “Redirecting Packets to a Specific Port” (page 68) — “Using NAT Redirection with Filtering” (page 68) — “Using the rdr and round-robin Keywords for Load Balancing”
2. Filter rules If you want to use filter and NAT rules to process inbound packets, you must specify the translated (target) IP address in the filter rules. 6.1.2.1.2 Outbound Packets When processing outbound packets, IPFilter evaluates rules in the following order: 1. Filter rules 2.
6.2 NAT Keywords IPFilter supports the following keywords for NAT (Network Address Translation) functionality: • map and mapblock The map and mapblock keywords rewrite or translate source addresses and port numbers for outbound packets. • rdr The rdr keyword redirects and translates destination addresses and port numbers for inbound packets. • bimap The bimap keyword translates addresses and port numbers for inbound and outbound packets.
6.3 map and portmap: Mapping Outbound Packets The map keyword rewrites or translates source addresses for outbound packets. When used with the portmap keyword, map also translates UDP or TCP port numbers. When an outbound packet matches the selectors in a map rule, IPFilter rewrites the source IP address with the specified target IP address. IPFilter also creates an entry in its map table, and checks this map table for both inbound and outbound packets.
6.3.3 map-block: Mapping to a Block of Addresses IPFilter NAT can map an IP address to a specific block of IP addresses in two ways. You can use the map-block keyword to statically map sessions from a host to a selected block of IP addresses. Configure the following rule: map-block lan0 192.168.1.0/24 -> 20.20.20.0/24 Any outgoing packet with an IP address beginning with 192.168.1 is mapped to an IP address beginning with 20.20.20.
6.4 rdr: Redirecting Inbound Packets The rdr keyword redirects inbound packets and rewrites the destination address. To redirect inbound packets, use the following syntax: rdr interface_name destination_ip -> target_ip where: interface_name is the name of the network interface used to receive the packets. For example, lan1. destination_ip is the destination IP address. This can a subnet address or 0.0.0.0/0 to match any address. target_ip is the target IP address.
When a packet comes in, IPFilter first evaluates the NAT rules. IPFilter rewrites the destination address and port number based on the NAT rule. IPFilter then evaluates the filter rules. With the rewritten destination address and port number, the packet matches the pass in rule. 6.4.3 Using the rdr and round-robin Keywords for Load Balancing You can use the rdr keyword with the round-robin keyword to implement load-balancing systems and redirect traffic to multiple addresses.
6.4.5.3 Sample config File # # NOTE: ORDER IS IMPORTANT IN THIS FILE # # Interface to do the redirections on and the IP address which will be # targeted. # interface lan0 192.168.1.1,2100 # # # NOTE: ORDER IS IMPORTANT IN THIS FILE # # NOTE: ORDER IS IMPORTANT IN THIS FILE # # Interface to do the redirections on and the IP address which will be # targeted. # interface lan0 192.168.1.
6.5 bimap: Bidirectional Mapping The bimap keyword creates two map entries for the rule: one for inbound and one for outbound. Unlike the map keyword, an initial inbound packet is not required to create the outbound rule. The bimap keyword allows IPFilter to map IP addresses bidirectionally. You can use this when you want the IP address of a particular device on the NAT-supported system to appear to have a different IP address outside the system. For example: bimap lan0 192.168.1.1/32 -> 20.20.20.
6.6 Loading NAT Rules To load IPFilter NAT rules: 1. 2. Add NAT rules to the /etc/opt/ipf/ipnat.conf file, or to another NAT rules file you select. See “The ipnat Utility” (page 98) for information and instructions. Use the following command to load the NAT rules manually: ipnat -CF -f /etc/opt/ipf/ipnat.conf This command flushes any current mappings and NAT rules, and reads NAT rules from the specified rules file.
7 Address Pooling This chapter describes address pooling. It contains the following sections: • “The ippool Utility” (page 73) • “The ippool.conf File” (page 73) NOTE: This is available only on HP-UX 11i v3. 7.1 The ippool Utility Address pools establish a single reference that is used to name a group of address/netmask pairs.
number/name Specifies the reference number/name that is used by the filtering rule. 7.3.2 Examples The following example creates an address pool using the tree storage format that is referenced in the IPF rule which allows packets from this pool. table role = ipf type = tree name = mypool { 10.1.1.41/32; 10.1.1.42/32; 192.168.1.
8 Tips for Securing Your System This chapter describes specific configuration procedures for HP-UX IPFilter. It contains concepts for basic and advanced firewall design using HP-UX IPFilter features.
Several services allow you to block by port number for security: • • • • • syslog on UDP port 514. portmap on TCP port 111 and UDP port 111. You can specify proto tcp/udp with port=111. lpd on TCP port 515. NFS on TCP port 2049 and UDP port 2049. You can also configure NFS to use static (fixed) port numbers for the NFS statd, mountd, and lockd services, as described in “Configuring NFS to Use Fixed Ports” (page 113) X11 on TCP port 6000.
The following ruleset blocks packets from private address blocks and the loopback address block received on lan0: block in quick block in quick block in quick block in quick pass in all on on on on lan0 lan0 lan0 lan0 from from from from 192.168.0.0/16 to any 172.16.0.0/12 to any 10.0.0.0/8 to any 127.0.0.0/8 to any If you have an internal network, you can allow only traffic destined for the network with source addresses from addresses within that network.
9 Troubleshooting HP-UX IPFilter This chapter contains the following sections: • “Viewing IPFilter Statistics and Active Rules with ipfstat” (page 80) • “Testing Rules with ipftest” (page 85) • “Logging IPFilter Packets” (page 88) • “Troubleshooting Tips” (page 92) • “Reporting Problems” (page 94) 79
9.1 Viewing IPFilter Statistics and Active Rules with ipfstat The ipfstat utility displays IPFilter statistics, including how many packets have been passed or blocked, whether the packets were logged or not, how many state entries have been made, and DCA statistics. You can also use options with ipfstat to display active rules. 9.1.1 Syntax ipfstat [-options] 9.1.2 Options For a complete list of ipfstat options, see the ipfstat manpage.
-v Sets verbose mode. Use for debugging. NOTE: Statistics counters cannot increment when both active in and out rulesets are empty. This is due to a performance optimization that bypasses IPFilter when there are no active rulesets present. 9.1.
Set the -n option to display the rule number next to each rule. The rule number is displayed as @group:rule. This can help you determine which rules are incorrectly configured. For example: # ipfstat -on @0:1 pass out on lan0 from any to any @0:2 block out on ppp0 from any to any @0:3 pass out quick on ppp0 proto tcp/udp from 20.20.20.0/24 to any keep state keep frags The following example uses the -s option to display the state table.
Subnet Cumulative Unknown IP Total 3 5 9 19 No Memory Logged Records Log Failures Limits Added Add Failures 0 13 0 13 0 • • • • • • The first six lines display the number of current active connections of each described type. No Memory is the number of times a limit entry could not be created because no memory was available. If this is a non-zero, positive value, then the system memory should be checked and, if necessary, increased.
These limit entries are created through the default rule. See “keep limit: Limiting Connections” (page 53) for detailed information on the different types of limit entries. • • • • The Rule column displays the rule number that caused the creation of this limit entry. This information can in turn be used to get per-rule statistics using the ipfstat -r command. The third through sixth columns display IP-port pairs of the TCP connection.
9.2 Testing Rules with ipftest The ipftest utility enables you to test a ruleset without loading it. You do not need superuser capabilities to run ipftest. The ipftest utility tests a ruleset using a set of packet descriptors that simulate network traffic. The ipftest utility determines the action IPFilter would take for each packet and writes the packet and the action to stdout. When you generate simulated traffic, you can use example data obtained from a packet probe or similar monitor.
The ipftestutility supports additional options to specify the input format and to control packet testing. For a complete list of options and their functions, see the ipftest manpage. 9.2.3 Example The following ruleset is used for this example: block in all pass in from 10.1.84.195 to any The input file contains the following packet descriptors: in on lan0 udp 10.1.84.195,16000 10.1.84.196,16000 in on lan1 udp 10.1.84.195,16000 10.1.85.196,16000 in on lan0 udp 10.1.84.195,16000 10.1.80.
block ip 28(20) 17 10.1.85.195,16000 > 10.1.80.196,16000 -------------input: out on lan0 udp 10.1.84.196,16000 10.1.84.195,16000 nomatch ip 28(20) 17 10.1.84.196,16000 > 10.1.84.195,16000 -------------input: out on lan1 udp 10.1.85.196,16000 10.1.84.195,16000 nomatch ip 28(20) 17 10.1.85.196,16000 > 10.1.84.195,16000 -------------input: out on lan0 udp 10.1.80.196,16000 10.1.84.195,16000 nomatch ip 28(20) 17 10.1.80.196,16000 > 10.1.84.195,16000 -------------input: out on lan0 udp 10.1.84.196,16000 10.1.85.
9.3 Logging IPFilter Packets This section describes how to use the log keyword in IPFilter rules to configure logging and how to use the ipmon utility to view IPFilter log records 9.3.1 Using the log keyword to Configure IPFilter Logging To configure logging, specify the log keyword in an IPFilter rule after the in or out keyword, as described in “log: Logging Packets” (page 31). The log keyword directs IPFilter to log packets matching the rule to the IPFilter logging device, /dev/ipl.
The first option only applies to packets in a specific session. You can use the first option to monitor traffic on your system. For best results, use the first option in conjunction with rules that use pass and keep state. Example: pass in log first proto tcp from amy to any flags S keep state 9.3.1.3 body You can use the body option with the log keyword to track parts of an IP packet in addition to the packet header information.
9.3.2 Using ipmon to View IPFilter Log Entries The ipmon utility displays IPFilter log entries in human-readable format. To configure IPFilter to create log entries, specify the log keyword in IPFilter rules, as described in “Using the log keyword to Configure IPFilter Logging” (page 88). The ipmon utility can also display the state table log, the NAT log, or any combination of these three. You can run ipmon in the foreground or as a daemon that logs to syslog or a file.
15:57:33.803147 lan0 @0:2 b 100.100.100.103,443 -> 20.20.20.
syslog. The shell command can be an alert mailed to the administrator or an IPFilter command to update filter rules. For more information, see the ipmon(4) manpage. NOTE: This is available only on HP-UX 11i v3. 9.3.3.1 Syntax ipmon -C 9.3.3.2 ipmon.conf File Syntax match {} do {} If an UDP packet is coming from 10.1.1.41 and it is blocked as per configured IPF rules, then ipmon sends a mail to the root account with the message "blocked UDP packet from 10.1.1.41".
Check the rules you have configured using ipfstat -io. This command will display the active inbound and outbound rules. NOTE: If you are using /etc/opt/ipf/ipf.conf as your rules file, then IPFilter will load it at boot time. The IPFilter startup script /sbin/init.d/ipfboot: — Loads the IPFilter module. — Starts the logging daemon, ipmon. — Loads any uncommented rules in the /etc/opt/ipf/ipf.conf file. — Loads any uncommented rules in the /etc/opt/ipf/ipf6.conf if IPv6 is enabled on the system.
9.5 Reporting Problems Include the following information when reporting problems: • A complete description of the problem and any error messages.
10 HP-UX IPFilter Utilities This chapter describes utilities for administering IPFilter. It contains the following sections: • “The ipf Utility” (page 95) • “The ipnat Utility” (page 98) • “The ipfilter Utility (HP-UX 11i v3)” (page 99) • “The ippool Utility” (page 99) NOTE: Most of the information in this chapter has been derived from the IP Filter-based Firewalls HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this document at http://www.obfuscation.org/ipf/. 10.
-s Switches the active ruleset with the inactive ruleset. IPFilter maintains an active ruleset and an inactive ruleset. The active ruleset is the ruleset used for IPFilter operations, and the inactive ruleset is a supplementary, reserve ruleset. If you specify this option with the -6 option, this option affects the IPv6 rulesets; if you specify it without the -6 option, this option affects the IPv4 rulesets. -Fa Flushes all rules in the specified ruleset.
IPv4 IPFilter processing. -Q interface_name Queries if IPFilter processing is enabled or disabled for a given interface. If you specify this option with the -6 option, it queries the status of IPv6 IPFilter processing; if you specify this option without the -6 option, it queries the status of IPv4 IPFilter processing. The -E, -D, and -Q commands let you control IPFilter processing on a given interface. For example, ipf -D lan0 disables IPv4 IPFilter processing for traffic on lan0.
10.2 The ipnat Utility Use the ipnat utility to view and load NAT rules. The default NAT rules file is /etc/opt/ ipf/ipnat.conf. 10.2.1 Syntax ipnat -options full_path_name 10.2.2 Options -f Reads rules from a specified rules file. -l Lists NAT rules and active mappings. -C Deletes the current ruleset. -F Flushes active mappings. -r Removes rules from the NAT rules file. 10.2.3 Example Enter the following command: ipnat -CF -f /etc/opt/ipf/ipnat.
10.3 The ipfilter Utility (HP-UX 11i v3) The ipfilter utility enables, disables, and reports the IPFilter state. The ipfilter utility is supported only on HP-UX 11i v3. 10.3.1 Syntax /opt/ipf/bin/ipfilter -d|e|q|l|ei|di 10.3.2 Options -e Enables the HP-UX IPFilter module. -d Disables the HP-UX IPFilter module. -q Queries the HP-UX IPFilter module and displays whether it is enabled or disabled. -l Lists the interfaces and shows which are protected or unprotected by IPFilter.
10.4.2 Global Options -d Toggle debugging of processing the configuration file. -n Prevents ippool from making ioctl calls or altering the running kernel. -v Turns verbose mode on. 10.4.3 Command Options 100 -a Adds a new data node to an existing pool in the kernel. -A Adds a new (empty) pool to the kernel. -f Reads IP pool configuration information from the file and load it into the kernel. -F Flushes loaded pools from the kernel.
11 HP-UX IPFilter and ICMP This chapter describes how to use HP-UX IPFilter to filter ICMP (ICMPv4) and ICMPv6 Packets. It also describes how to configure ICMP kernel parameters for optimal security.
Table 11-1 ICMP Type and Codes (continued) Type Code icmp-type Meaning icmp-code 4 9 net-prohib destination network administratively prohibited [RFC1256] 10 host-prohib destination host administratively prohibited [RFC1256] 11 net-tos network unreachable for TOS [RFC792] 12 host-tos host unreachable for TOS [RFC792] 13 filter-prohib prohibited by filtering [RFC1812] 14 host-preced host precedence violation [RFC1812] 15 cutoff-preced precendence cutoff in effect [RFC1812] 0 squenc
• • • “ICMP Redirects (ip_send_redirects)” (page 104) “PMTU Discovery (ip_pmtu_strategy)” (page 104) “ICMP Echo Request Broadcasts (ip_respond_to_echo_broadcast)” (page 105) This section also describes how to use ndd to set the ICMP parameter values (“Using ndd to Configure ICMPv4 Kernel Parameters” (page 105)). 11.2.1 Dead Gateway Detection (ip_ire_gw_probe) The ip_ire_gw_probe parameter enables or disables dead (non-operational) gateway detection.
pass out quick proto icmp from any to any icmp-type 4 11.2.3 ICMP Redirects (ip_send_redirects) The ip_send_redirects parameter enables or disables ICMP redirect transmissions. ICMP redirects are generally used by hosts to communicate alternate or optimal routes. If a forged ICMP redirect message is processed by a host, its routing table can be compromised and it may route subsequent traffic through an unsafe route.
case, HP recommends that you set ip_pmtu_strategy to 3 if this value is supported on your system, or to 0 if it is not supported. Note that for IPv4, the link-local MTU can be as low as 68 bytes. Setting ip_pmtu_strategy to 0 or 3 can significantly decrease IP throughput. 11.2.5 ICMP Echo Request Broadcasts (ip_respond_to_echo_broadcast) A ping message (ICMP echo request) to a broadcast address solicits responses from multiple systems and can generate a lot of network traffic.
11.3 Filtering ICMPv6 Packets by Type and Code (icmpv6–type and code) You can filter specific types of ICMPv6 traffic using the icmpv6-type and code keywords. You must specify proto icmpv6 to use the icmpv6-type and code keywords. A simplified rule syntax is as follows: block|pass in|out [processing_options] proto icmpv6 icmpv6-type type_value [code code_value] ip_selector where: processing_options is one or more processing options, such as quick.
11.4 Controlling ICMPv6 Router Discovery and Neighbor Discovery Messages By default, HP-UX IPFilter allows ICMPv6 Router Discovery and Neighbor Discovery messages to bypass (pass through) IPFilter rulesets and always pass in and out of the system.
12 HP-UX IPFilter and FTP This chapter describes how to filter FTP services. It contains the following sections: • “FTP Basics” (page 109) • “WU-FTPD on HP-UX” (page 109) • “Running an FTP Server” (page 110) • “Running an FTP Client” (page 110) CAUTION: NAT and FTP are incompatible. If you are using FTP on your IPFilter system, do not use NAT rules. 12.1 FTP Basics The File Transfer Protocol (FTP) is a user-level protocol for transferring files between host computers.
WU-FTPD 2.6.1 is a core product on HP-UX 11i v2. 12.3 Running an FTP Server This section describes active FTP and passive FTP server setup. 12.3.1 Active FTP FTP Server Direction of Connection Initiated FTP Client port 21 (control port) <---------------- any port 1024 or higher port 20 (data port) ----------------> any port 1024 or higher On an FTP server using active FTP, configure IPFilter rules to allow control connections in and data connections out.
pass out quick proto tcp from client_ip port > 1023 to any port = 21 flags S keep state pass in quick proto tcp from any port 20 to client_ip port > 1023 flags S keep state block in from any to any block out from any to any NOTE: FTP Proxy is not supported by HP. For a complete list of unsupported utilities and commands, see “Unsupported Utilities” (page 128). 12.4.
13 HP-UX IPFilter and NFS and RPC This chapter describes the use of NFS and RPC with IPFilter. It contains the following sections: • “Introduction” (page 113) • “Configuring NFS to Use Fixed Ports” (page 113) • “Using the rpc.ipfboot Script to Update IPFilter Rules” (page 114) 13.1 Introduction The NFS service uses multiple daemons. The NFS daemon, nfsd, listens for requests on the static (fixed) TCP and UDP port number 2049. By default, the auxiliary daemons used for the NFS services—rpc.
# /sbin/init.d nfs.client start # /sbin/init.d nfs.server start 3. (Optional) Enter the following command to verify the ports used by the NFS auxiliary daemons: # rpcinfo -p 13.3 Using the rpc.ipfboot Script to Update IPFilter Rules The /etc/opt/ipf/rpc.ipf/rpc.ipfboot script to queries the port mapper and updates IPFilter rules files with the appropriate port numbers.
By default, all RPC rules are configured as the first rules, for example, RPC_RULE_POSITION=1. The RPC rules are well defined in terms of IP addresses and ports and will have unique matches and, since they are quick rules, they should be at top. 13.3.2 RPC Rules Configuration File This file specifies details based on which IPFilter RPC rules will be generated. /etc/opt/ipf/ rpc.ipf/rpc_ipfconf.sample is provided as an example. The /etc/opt/ipf/rpc.
14 HP-UX IPFilter and IPSec This chapter describes how HP-UX IPFilter and HP-UX IPSec work together. It contains the following sections: • “IPFilter and IPSec Basics” (page 117) • “IPSec UDP Negotiation” (page 117) • “When Traffic Appears to Be Blocked” (page 118) • “Allowing Protocol 50 and Protocol 51 Traffic” (page 119) • “IPSec Gateways” (page 120) 14.1 IPFilter and IPSec Basics IPSec and IPFilter will not panic or corrupt each other.
Before exchanging IPSec-encrypted or authenticated packets, IPSec negotiates security parameters using the Internet Key Exchange (IKE) protocol. The IKE protocol exchanges messages using UDP protocol port 500, or port 4500 if IPSec NAT traversal is used. If the IPFilter configuration is so broad that it blocks all UDP traffic, IPSec cannot complete IKE negotiations and packets that are configured to be secured by IPSec are dropped.
14.4 Allowing Protocol 50 and Protocol 51 Traffic IPSec uses Encapsulating Security Payload (ESP) to provide data confidentiality and Authentication Header (AH) to provide data integrity at the IP layer. Depending on a user’s IPSec traffic policy configuration, IPSec inserts ESP, AH, or both as protocol headers into an IP datagram that immediately follows an IP header. The protocol field of that IP header will be 50 (ESP) or 51 (AH) to indicate the next protocol.
NOTE: If IPSec is configured to use AH rather than ESP, you must configure IPFilter to let protocol 51 traffic pass. If IPSec uses nested AH and ESP, IPFilter can be configured to let only protocol 51 (ah) traffic pass. 14.5 IPSec Gateways You can configure IPSec to encrypt and authenticate traffic to a gateway between two end hosts. A configuration that encrypts IPSec packets to a gateway is called an IPSec tunnel. IPFilter can coexist with IPSec tunnels without conflict.
15 HP-UX IPFilter and Serviceguard This chapter describes configuration procedures for HP-UX IPFilter used in a Serviceguard environment. It contains the following sections for using HP-UX IPFilter with Serviceguard: • • • “Enabling or Disabling IPFilter” (page 121) “Local Failover” (page 121) “Remote Failover” (page 122) — “Filtering on a Package IP Address” (page 122) — “Mandatory Rules” (page 122) • “DCA Remote Failover” (page 126) 15.
All rules that filter on interface names are changed at failover and failback in both the active ruleset and the inactive ruleset. In addition, logging reflects the changes; the standby interface name will appear in logs and reports when it is in use. 15.1.3 Remote Failover HP-UX IPFilter is a system firewall and as such should be installed on end systems. Connections to an IPFilter system that are lost during a remote failover must be reinitiated.
hacl-local 5304/tcp hacl-test 5305/tcp hacl-dlm 5408/tcp hacl-poll 5315/ tcp # HA Cluster commands # HA Cluster test # HA Cluster distributed lock manager #HA Cluster TCP polling cmappserver for hpvm NOTE: This list of HA services is not exhaustive. In addition, Serviceguard also uses dynamic ports (typically in the 49152–65535 range) for some cluster services. If you have adjusted the dynamic port range using kernel tunable parameters, alter your rules accordingly.
# Allow ping incoming connections for package ip monitoring pass in quick proto icmp from cluster_nodes to cluster_nodes icmp-type 8 pass out quick proto icmp from cluster_nodes to cluster_nodes icmp-type 8 If you are using cmappserver, configure the following rules: # Allow hacl-poll for HA Cluster TCP polling (cmappserver for hpvm or APPSERV) pass in quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flag S keep state pass out quick proto tcp from cluster_nodes to cluster_nodes port = 5315 f
In the previous set of rules, cluster_nodes the IP subnet address for all nodes in the cluster, and remote_nodes are all other nodes outside the cluster that are designated in the cmclnodelist file for remote command access. To enable users on remote nodes to run the cmscancl command, you must also configure rules to allow remote shell packets (TCP port 514). 15.1.3.3.
15.1.3.3.7 Consolidated Log (clog) If you are using the consolidated log package, clog, add the following rules for the configured clog TCP port number: pass in quick proto tcp from smh_mgmt to cluster_nodes port = clog_tcp keep state pass out quick proto tcp from cluster_nodes to smh_mgmt keep state In the previous set of rules, cluster_nodes are all nodes in the cluster, smh_mgmt is the address of the SMH Management Station, and clog_tcp is the TCP port configured for the clog package. 15.1.
A Product Specifications This appendix contains the following sections: • “Configuration Files” (page 127) • “Unsupported Features” (page 128) • “Supported Utilities” (page 128) • “Unsupported Utilities” (page 128) • “Supported and Unsupported Interfaces” (page 128) A.1 Configuration Files HP-UX IPFilter uses the following configuration files: • /sbin/init.d/ipfboot The startup script for the ipf module. • /etc/rc.config.d/ipfconf Configuration file for the ipfboot startup script.
A.2 Unsupported Features HP-UX IPFilter does not support the following features: • Filtering loopback packets. The HP-UX transport stack is optimized so that loopback packets are not passed to any modules below IP, such as IPFilter. Loopback packets include the following: — Packets with the destination address in the range 127.0.0.0 - 127.255.255.
Table A-1 HP-UX IPFilter Supported Interfaces IPFilter Version Supported Interfaces HP-UX A.11.xx.17 • • • • • • • • • • Ethernet (10Base-T) Fast Ethernet (100Base-T) Gigabit Ethernet (1000Base-T) 10 Gigabit Ethernet APA VLAN FDDI Token Ring InfiniBand (supported on HP-UX 11i v2 only) X.25 (supported on HP-UX 11i v3 only) HP-UX A.11.xx.
• • • • 130 InfiniBand (supported on HP-UX 11i v2, but not on other HP-UX versions) X.
B HP-UX IPFilter Configuration Examples This appendix provides IPFilter configuration examples. These examples are also included in the/opt/ipf/examples directory with HP-UX IPFilter. You can take useful rules that you find in these examples and copy them into /etc/opt/ipf/ipf.conf, which is your HP-UX IPFilter configuration file. These files are taken from the files provided with the open source IPFilter product. B.1 BASIC_1.
# pass in quick proto tcp from any to any port = ftp keep state group 201 pass in quick proto tcp from any to any port = ftp-data keep state group 201 pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 # # Allow NTP from any internal host to any external NTP server.
block in log quick from a.b.c.d/24 to any group 100 # #------------------------------------------------------# Localhost packets. # ================== # packets going in/out of network interfaces that aren’t on the # loopbackinterface should *NOT* exist block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 200 block in log quick from any to 127.0.0.
pass in from 10.1.2.1/32 to any # # # block all outbound packets. # block out from any to any # # # allow any host to send any IP packet out to a limited number # of hosts. # pass out from any to 10.1.3.1/32 pass out from any to 10.1.3.2/32 pass out from any to 10.1.3.3/32 pass out from any to 10.1.3.4/32 pass out from any to 10.1.3.5/32 pass out from any to 10.1.0.13/32 pass out from any to 10.1.1.1/32 pass out from any to 10.1.2.1/32 B.6 example.4 # # block all ICMP packets.
B.9 example.7 # block all ICMP packets. # block in proto icmp all # # allow in ICMP echos and echo-replies. # pass in on lan1 proto icmp from any to any icmp-type echo pass in on lan1 proto icmp from any to any icmp-type echorep # # block all ICMP destination unreachable packets which are # port-unreachables # block in on lan1 proto icmp from any to any icmp-type unreach code 3 B.10 example.
# through to host 10.1.1.2 if they are destined for port 6667. # pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are # destined for localhost # pass in proto udp from 10.2.2.2 port != 53 to localhost # # block any packet trying to get to X terminal ports, X:0 to # X:9 # block in proto tcp from any to any port 5999 >< 6010 # # allow any connections to be made,except to BSD # print/r-services this will also protect syslog.
# 10.3.3.1 # pass in on lan0 to lan1:10.3.3.1 proto icmp all B.16 example.sr # # # # # # # # # log all inbound packets on lan0 which has IP options present log in on lan0 from any to any with ipopts block any inbound packets on lan0 which are fragmented and "too short" to do any meaningful comparison on. This actually only applies to TCP packets which can be missing the flags/ports (depending on which part of the fragment you see).
block in on lan0 proto icmp from any to 10.1.3.0/24 block in on lan0 proto icmp from any to 10.1.1.0/24 block in on lan0 proto icmp from any to 10.1.2.0/24 B.17 firewall #Configuring IP Filter for firewall usage. ========================================= Step 1 - Block out "bad" IP packets. -----------------------------------Run a) b) c) the perl script "mkfilters".
pass out quick on lan0 proto udp from any to any port = 53 keep state block out on lan0 proto udp all block in on lan0 proto udp all B.20 BASIC.NAT #!/sbin/ipnat -f # # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # lan0 - (internal) network interface, address w.x.y.z/32 # # If only one valid IP address from the ISP, then use this # rule: # map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 map ppp0 w.x.y.z/24 -> a.b.c.
map lan1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 map lan1 10.1.0.0/16 -> 240.1.0.0/24 # # Redirection is triggered for input packets. # For example, to redirect FTP connections through this box # to the local ftp port and force them to connect # through a proxy, you would use: # rdr lan0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp B.22 nat-setup Configuring NAT on your network.
For example (using the above NAT rules), if you wanted to prevent all hosts in the 10.1.2.0/24 subnet from using NAT, you might use the following rule with ipf: block out on ppp0 from 10.1.2.0/24 to any block in on ppp0 from any to 10.1.2.0/24 and use these with ipnat: map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap B.23 ipmon.
C HP-UX IPFilter Kernel Tunable Parameters HP-UX IPFilter supports kernel tunable parameters that affect IPFilter behavior. This chapter describes the parameters and how to configure them.
C.2 fr_tcpidletimeout The fr_tcpidletimeout is the timeout period for state table entries for TCP connections that are established and idle. If the state table has an entry for an established TCP connection and no packets match the state entry for that period, IPFilter deletes the entry.
C.5.1 Displaying Logging Buffer Statistics On HP-UX 11i v3 systems, the ipfstat –B command displays the size of the log buffer, the current number of bytes used, and the high-water mark (the maximum number of bytes used). On HP-UX 11i v1 and HP-UX 11i v2 systems, use the following command to get the logging buffer statistics: ndd -get /dev/pfil cur_iplbuf_sz The parameter cur_iplbuf_sz is a read-only parameter. C.
C.8.2 Configuring Kernel Tunable Parameters on HP-UX 11i v1 and HP-UX 11i v2 On HP-UX 11i v1 and HP-UX 11i v2, use the ndd command to configure all HP-UX IPFilter kernel tunable parameters, with the following exceptions: • fr_statemax and fr_tcpidletimeout: Use the kmtune command to modify these parameters. • ipf_icmp6_passthru: On HP-UX 11i v2, use the kctune command to modify this parameter, as described in “Controlling ICMPv6 Router Discovery and Neighbor Discovery Messages” (page 107) C.8.2.
kctune -s fr_statemax=6000 3. Configure the module for the new value using the following commands: cd /stand/ipf config -M ipf -u 4. Reload the ipf module: /sbin/init.d/ipfboot start C.9 Enabling and Disabling NAT Functionality The new ipnat_enable tunable is provided to enable/disable NAT functionality. By default, this tunable is set to 1. If you do not use NAT functionality, disabling this tunable will improve performance. NOTE: This available only on 11i v3. C.
D HP-UX IPFilter Static Linking This appendix provides instructions for statically linking the HP-UX IPFilter kernel modules to the kernel. D.1 Overview IPFilter has two kernel modules, pfil, a streams module and ipf, a WSIO pseudo driver. These are dynamically loadable kernel modules. When IPFilter is installed on an HP-UX system using swinstall, these two modules are loaded and configured as dynamically linked modules.
2. Use the kmsystem command to find the status of each module. See the kmsystem(1M) manpage for more detail. For example: $ kmsystem -q pfil Module Configured Loadable pfil Y Y The output is similar for the ipf module. This output shows that the pfil module is loadable. 3. Use the kmsystem command to set the loadable parameter to N. $ kmsystem -l N -c Y ipf $ kmsystem -q ipf Module Configured Loadable ipf Y N $ kmsystem -l N -c Y pfil 4.
E Performance Guidelines This appendix provides performance guidelines for the use of HP-UX IPFilter. You must take operating environment limits in to account when you configure HP-UX IPFilter. HP-UX does not enforce maximum configuration limits to provide flexibility. However, you must take care not to overburden HP-UX IPFilter systems or unpredictable consequences may result.
3. 4. Dedicate a CPU to each LAN card, if possible. Avoid configuring one CPU to share an application and a LAN, especially if the application is data or computationally intensive. Use the HP-UX Processor Set (PSET) utility to separate applications and LAN processing. If you are configuring an intermediate system, dedicate that system to HP-UX IPFilter. Do not share the system with other standalone applications. E.
pass pass pass pass pass pass in in in in in in quick proto tcp from 15.13.2.100 to any port = 23 quick proto tcp from 15.13.103.0/24 to any port = quick proto tcp from 15.13.104.0/24 to any port = quick proto tcp from 15.13.105.0/24 to any port = quick proto tcp from 15.13.106.
Figure E-2 System Operation E.5 Performance Monitoring The performance of an IPFilter system depends primarily on four major factors: • Number and length of rule searches (rule organization) • Types of rules • Network traffic • System configuration Monitor your system performance to ensure proper operation. HP recommends they following: • Use ipfstat -ioh to monitor the rule searches. If a rule has a high hit count, this indicates that the rule can be optimized.
Index A active rules list, 42 adding keep limit rules, 58 address pooling, 73 B bidirectional filtering in keyword, 28 out keyword, 28 bidirectional filtering with IPSec, 118 bimap keyword, 71 block keyword, 28 blocked traffic IPSec correcting, 118 C checklist installation and configuration, 21 commands unsupported, 128 configuration checklist, 21 DCA rules file, 52 IPv6 rules file, 45 NAT rules file, 63 rules file, 27 rules processing, 27, 63 verifying, 23 configuration examples, 131 configuring file con
error status messages, 37 filtering on, 35, 101 keeping state with, 37 icmp-type keyword, 35, 101 ICMPv6 IPv6, 46 in keyword, 28 inactive rules list, 42 installation checklist, 21 loading software, 22 prerequisites, 21 verifying, 23 integrating keep limit rules, 58 interface-specific filtering, 32 interfaces supported, 128 unsupported, 128 interoperability IPSec, 117 IP address filtering by, 28 limiting connections by, 53 ipf, 95 -6 option, 95 -A option, 42 -D option, 96 -E option, 96 -f option, 42, 49 -Fa
allowing traffic through the firewall, 118 bidirectional with IPFilter, 118 debugging blocked traffic with, 118 gateway, 120 UDP negotiation, 117 IPSec and IPFilter, 117 IPv6 differences, 46 extension headers, 47 features, 46 file configuration, 45 filter rules, 46 fragmentation, 48 ICMPv6 filtering, 46 ipf, 49 protocol-based filtering, 46 rules configuration, 45 stateful ICMPv6, 46 tunneled packets, 47 unsupported features, 46, 128 K kcmodule, 23 static linking, 149 kctune, 145 keep frags keyword, 38 keep
monitoring IPFilter, 90 multi-level grouping, 40 N NAT file configuration, 63 viewing and loading rules, 98 NAT keywords bimap, 71 map, 66 map-block, 67 portmap, 66 rdr, 68 nat tags, 43 netstat, 94 nslookup, 37 O on keyword, 32 opt keyword, 34 out keyword, 28 P package IP address, 122 pass keyword, 28 patch dependencies, 21 performance guidelines, 151 performance monitoring, 154 rule configuration, 152 rule loading, 152 system configuration, 151 traffic, 153 performance improvement, 40 performance inform
mandatory rules, 122 Quorum Server, 124 remote command execution, 124 Serviceguard Manager, 125 services, 122 single-user mode, 23 software, loading, 22 state aging, 37 state table dump, 82 static linking, 149 HP-UX 11i v1, 149 HP-UX 11i v2, 149 HP-UX 11i v3, 149 removing IPFilter software, 149, 150 sticky NAT sessions, 69 summary logs for cumulative limits, 55 supported interfaces, 128 swinstall, 22 swlist, 21 system configuration guidelines, 151 system traffic guidelines, 153 W with frags keyword, 35 wit
