Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
About This Document
This document describes how to install, configure, and troubleshoot HP-UX IPFilter version 17.
The latest version of this document can be found online at http://docs.hp.com.
Intended Audience
This document is intended for network managers or network security administrators who install,
configure, and troubleshoot HP-UX IPFilter on HP 9000 systems. Administrators are expected
to have knowledge of HP-UX operating system concepts, commands, and configuration.
Administrators are also expected to have knowledge of TCP/IP networking concepts and network
configuration.
This document is not a tutorial.
New and Changed Information in This Edition
The documentation reflects the following changes to the HP-UX IPFilter product.
New Features in this Release
IMPORTANT: The following new features are supported on HP-UX 11i v3 only.
Rate-based filtering This new feature controls packet flow by defining the rate
(packets per second) of matching packets passing through
a machine. For more information, see “Rate-based
Filtering” (page 30).
Address pooling Address pools establish a single reference to name a group
of address/netmask pairs. For more information, see
Chapter 7 (page 73).
ipmon configuration file
This new feature simplifies IPFilter log analysis and allows
monitoring for specific log events. For more information,
see “Logging IPFilter Packets” (page 88).
Rule tags
NAT and ipf rules can refer to each other with a tag,
creating an implied join that forms part of the packet
matching. For more information, see “Rule Tags” (page 43).
State aging You can override the default values and specify a different
state age in IPFilter rules using age options. For more
information, see “State Aging” (page 37).
Named groups Rule groups can now be referenced by name. For more
information, see “Improving Performance with Rule
Groups ” (page 40).
Sticky NAT sessions NAT sessions can be redirected to the same destination IP
to achieve source IP-based persistence. For more
information, see “Sticky NAT Sessions” (page 69).
The l4check utility The l4check utility monitors for dead IP/port pairs and
dynamically removes them from the list of load balanced
IP addresses. For more information, see “Checking
Connection Health with l4check” (page 69).
Intended Audience 13