Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
13. On HP-UX 11i v3 systems, enable HP-UX IPFilter using the following command:
/opt/ipf/bin/ipfilter -e
NOTE: Do not run the HP-UX IPFilter product when the system is booted in single-user mode.
2.4 Step 3: Verifying the Installation
Use the following commands to verify the HP-UX IPFilter installation.
Verify that HP-UX IPFilter is running using the -V option of the ipf command:
ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.11.31.17) (488)
Kernel: HP IP Filter: v3.5alpha5 (A.11.31.17)
Enabled: yes
Filtering: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Verify that HP-UX IPFilter has been correctly loaded.
On HP-UX 11i v2 and HP-UX 11i v3, enter the following commands:
# kcmodule -v -q pfil
# kcmodule -v -q ipf
Verify that the state is loaded.
2.5 Step 4: (Optional) Modifying Kernel Tunable Parameters
HP-UX IPFilter supports kernel tunable parameters that affect IPFilter logging behavior and the
IPFilter state table. For information about modifying them, see Appendix C (page 143).
In addition, Chapter 11 (page 101) describes system kernel tunable parameters that control ICMP
features and how to configure them to optimize security.
NOTE: The HP-UX IPFilter installation script disables subnet broadcast packet forwarding by
setting the kernel tunable parameter ip_forward_directed_broadcasts to 0. HP
recommends that you leave this feature disabled unless you have a specific need for your node
to forward subnet broadcast packets. Attackers can use subnet broadcast packet forwarding to
amplify attacks in Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
2.6 Removing HP-UX IPFilter
Use the following procedure to remove HP-UX IPFilter.
1. On HP-UX 11i v3 systems, disable HP-UX IPFilter:
/opt/ipf/bin/ipfilter -d
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX
IPFilter when critical network applications are running.
Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up
only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/
rc.config.d/netconf-ipv6 files. IP addresses not configured in the netconf or
netconf-ipv6 file, such as Serviceguard relocatable IP addresses, are not re-enabled.
Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a
system has several IP interfaces or there is heavy network traffic, the time required to
2.4 Step 3: Verifying the Installation 23