Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
3.8 Loading IPv4 Filter Rules
By default, HP-UX IPFilter starts on bootup and loads IPv4 filter rules from the /etc/opt/ipf/
ipf.conf file. If you do not want IPv4 filter rules to load on bootup, place your rules in an
alternate location and then manually load the rules using the ipf command. The following tasks
are some of the most commonly used:
To add new rules to your ruleset from a file, use the -f option with the ipf command:
ipf -f rules_file
If a rule in the file is already loaded in the ruleset, IPFilter will print a message but continue
processing the file.
NOTE: When you load a ruleset, the new rules affect all matching packets immediately,
including packets for established connections. For example, if you load a new rule that blocks
telnet packets, IPFilter will block all telnet packets, including packets for established
telnet connections. The only exception to this behavior is for packets that match entries
in the IPFilter state table. In this case, IPFilter continues to apply the existing action (pass
or block) for these packets until the state table entry times out or is deleted (such as when
the connection is closed).
To flush all rules from your ruleset, use the ipf -Fa command:
ipf -Fa
IPFilter maintains an active ruleset and an inactive ruleset. The active ruleset is the ruleset
used for IPFilter operations, and the inactive ruleset is a supplementary, reserve ruleset.
By default, IPFilter applies the flush (-F) and file (-f) operations to the active ruleset. You
can also explicitly direct IPFilter to apply an operation to the active ruleset with the -A
option. For example:
ipf -Fa -A -f /etc/opt/ipf/ipf.conf
This command flushes the all previously configured rules (-Fa), reads the rules in the /etc/
opt/ipf/ipf.conf file (-f), and loads these rules as the active rules (-A).
To apply the ipf action to the inactive ruleset, specify the -I option. For example, the
following command flushes all rules in the inactive ruleset and adds rules from the/etc/
opt/ipf/ipf.conf file to the inactive rule set:
ipf -IFa -f /etc/opt/ipf/ipf.conf
To swap the current active ruleset with the new inactive ruleset, specify the -s option:
ipf -s
To selectively flush only the inbound rules, specify the -Fi option. For example:
ipf -Fi
To selectively flush only the outbound rules, specify the -Fo option. For example:
ipf -Fo
You can also specify the -Fi or -Fo option with a filename. This flushes the inbound or
outbound rules from the current ruleset, then reads in the rules from the specified file. For
example:
ipf -Fo -f /etc/opt/ipf/ipf.conf
3.8.1 Verifying IPv4 Filter Rules
You can use the following commands to verify IPv4 filter rules:
Use the ipfstat -io command to list the active inbound and outbound rules.
42 Configuring and Loading IPv4 Filter Rules