Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
3.1 IPv4 Filter Rules Configuration File
The default HP-UX IPFilter IPv4 filter rules file is /etc/opt/ipf/ipf.conf. To specify an
alternate IPv4 filter rules file name, set the IPF_CONF parameter in the IPFilter startup file, /etc/
rc.config.d/ipfconf.
When HP-UX IPFilter is first installed, the /etc/opt/ipf/ipf.conf rules file is empty.
Appendix B (page 131) contains example rules files you can use to create your ruleset.
3.1.1 Format
Entries in IPFilter rule files must meet the following requirements:
Each rule must be contained on one line. Line continuation characters are not supported.
IPFilter interprets all text to the right of a number symbol (#) as a comment.
Extra white space is allowed and encouraged to keep the rules readable.
3.1.2 Rule Order and Processing
Rules are processed in order from top to bottom of the rules file. By default, IPFilter uses the last
filter rule that matches the packet it is evaluating. For example, a rules file contains the following
entries:
block in all
pass in all
The first rule (block in all) blocks all packets, and the last rule (pass in all) allows all
packets. Any given packet will match both rules, but the last matching rule takes precedence.
IPFilter will apply the last rule that matches the packet (pass in all) and allow it to pass.
You can modify IPFilter rules processing by using the quick keyword in a rule to force IPFilter
to immediately apply a matching rule and stop processing rules. See “quick: Optimizing IPFilter
Rules Processing” (page 31) for more information.
TIP: Many administrators find it easier to use the quick keyword in each rule and then order
the rules from most specific to least specific.
You can also modify IPFilter rules processing by configuring rule groups. See “Improving
Performance with Rule Groups ” (page 40) for more information.
3.1 IPv4 Filter Rules Configuration File 27