Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
3.2 Basic Rule Syntax: Specifying the Action, Direction, Protocol, IP
Addresses, and Ports
A simplified syntax for IPFilter rules is as follows:
block|pass in|out [proto protocol] ip_selector
The ip_selector can use the from and to keywords to specify IP addresses and the port
keyword to specify port numbers:
block|pass in|out [proto protocol] from ip_address[/prefix] [port =
port] to ip_address[/prefix] [port = port]
Alternatively, the ip_selector can be the keyword all to specify all IP addresses:
block|pass in|out [proto protocol] all
The sections that follow describe the parameters and options for this simplified syntax. For the
complete IPFilter rule syntax, see ipf(5).
3.2.1 pass and block: Specifying the Filter Action
The first keyword in an IPFilter rule specifies the action, and is usually pass or block. The
keyword pass allows packets allows packets to pass in or out of IPFilter, and the keyword block
blocks or drops packets.
3.2.2 in and out: Specifying the Filter Direction
The in and out keywords specify the whether the rule applies to inbound or outbound packets.
Inbound traffic is traffic that enters the IPFilter system. Outbound traffic is traffic the system
transmits, whether generated by the local system or forwarded by the system.
For example, the following rule uses the keyword pass and the IP selector all to allow incoming
packets from all IP addresses:
pass in all
The following rule drops outgoing packets to all IP addresses:
block out all
NOTE: If you do not specify any outbound rules, the implied default is pass out all. If you
do not specify any inbound rules, the implied default is pass in all.
3.2.3 proto: Specifying the Upper Layer Protocol
IPFilter can filter traffic based on the upper layer protocol, such as TCP or ICMP, using the proto
keyword:
proto tcp|udp|tcp/udp|icmp|protocol_number
The literal tcp/udp specifies both TCP and UDP, and is useful for applications that use both
the TCP and UDP protocol, such as portmap and NFS. For example, you could configure the
following rule to block inbound TCP and UDP portmap packets:
block in proto tcp/udp from any to 20.20.20.0/24 port = 111
The value for protocol_number can be any valid decimal number for an upper-layer protocol
(0 - 255).
3.2.4 from and to: Specifying IP Addresses and Subnets
IPFilter can pass or block packets based on both source and destination IP addresses. The addresses
can be individual node addresses, subnet addresses, or address ranges. The format for specifying
IP addresses is as follows:
from ip_address[/prefix]|any to ip_address[/prefix]|any
28 Configuring and Loading IPv4 Filter Rules