Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
Use the ipf -V command to verify that IPFilter is running.
Use the ipfstat -ioh command to list the active inbound and outbound rules and the
number of hits, or matching packets, for each rule.
For more information about IPFilter utilities, see Chapter 10 (page 95).
3.8.2 Removing IPFilter Rules
You can use the following command to remove rules that are listed in a file from the ruleset:
ipf -r -f delete_rule_file
You can use this command when IPFilter is running.
3.9 Rule Tags
3.9.1 Log Tags
This tag is used in IPF rules to help with parsing log files. Use log tags to find a particular logged
packet belonging to an IPF rule.
For example, to block all TCP packets from 10.1.1.42 and ipmon log packets in syslog and use
log-tag (log-tag rule1) to help with parsing logfile:
block in log proto tcp from 10.1.1.42/32 to any set-tag(log=rule1)
3.9.2 NAT Tags
This tag creates implied join between IPF rules and NAT rules. NAT tags are used in both IPF
rules and NAT rules. There are two kinds of NAT rules; map and rdr. The map rules are processed
in OUT path and runs source address translation. The rdr rules are processed when packets enter
the system and runs destination address translation.
Use nat-tag in the rdr rule corresponding to the IPF rule in IN path. Use nat-tag in the map
rule corresponding to the IPF rule in OUT path. In IN path, NAT processing takes place first,
followed by filter checking. In OUT path, filter checking takes place first, followed by NAT
processing.
In the following example, nat-tag is in rdr (NAT) rule and IPF rule. The rdr rule packets
coming to 10.1.1.40 are redirected to 10.1.1.41. In the IPF rule, if the same packet is coming from
10.1.1.42, then it matches the rule and blocks that packet. If nat-tag in the rdr (NAT) rule is
changed to some other value, then the IPF rule does not match even if the packet is coming from
10.1.1.42, and the packet is allowed through.
rdr lan4 10.1.1.40/32 port 23 -> 10.1.1.41 tag test-tag
block in from 10.1.1.42 to 10.1.1.41 set-tag(nat=test-tag)
The following example allows the packet to 10.1.1.41, and map rule changes the source address
from 10.1.1.42 to 10.1.1.40 if nat-tag matches. If nat-tag is changed to some other value in
the IPF rule, then map rule does not translate the source address, even if the packet is coming
from 10.1.1.42.
pass out from 10.1.1.42 to 10.1.1.41 set-tag(nat=test-tag)
map lan4 10.1.1.42/32 -> 10.1.1.40 tag test-tag
For more information, see the ipnat(4) and ipf(4) manpages. See also Chapter 6 (page 63).
NOTE: This is available only on HP-UX 11i v3.
3.9 Rule Tags 43