Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
4.2 Features Not Supported with IPv6
The following features are not supported with IPv6:
IPFilter NAT functionality and the associated commands and utilities.
Dynamic Connection Allocation (DCA) on HP-UX 11i v1 systems. DCA is not supported
with IPv6 addresses on HP-UX 11i v1 systems, but is supported on HP-UX 11i v2 and HP-UX
11i v3 systems.
The scripts and files used to generate and load IPFilter rules for Remote Procedure Call
(RPC) ports, including /etc/opt/ipf/rpc.ipf.
The ipftest utility
IPFilter group rules
Address pools
4.3 IPv6 Filter Rule Syntax Differences
The syntax for IPv6 filter rules is the same as the syntax for IPv4 rules, with the following
differences and enhancements:
“Specifying Addresses” (page 46)
“Filtering ICMPv6 Packets” (page 46)
“IPv6 Extension Headers” (page 47)
“Filtering Tunneled Packets” (page 47)
“Filtering IPv6 Fragments” (page 48)
“Sending ICMPv6 Responses” (page 48)
Other filter rule features and syntax rules, such as TCP flags, stateful filtering for TCP and UDP,
redirecting packets to other interfaces, and rule groups, are the same for IPv6 and IPv4.
4.3.1 Specifying Addresses
Specify IPv6 addresses in colon-hexadecimal notation. You can use two colons (::)once in an
address to indicate a series of 0s. For example, use the following rule to block an inbound telnet
connection:
block in proto tcp from 2001:db8::1 to 2001:db8::2 port = 23
You can specify the all and any keywords in IPv6 rules. For example, you can create the
following rule for IPv6 packets:
block in from any to any
Although the previous rule is valid for both IPv4 and IPv6 packets, IPFilter will apply this rule
to IPv6 packets if you add it to the IPv6 filter configuration file and load it using the IPv6 (-6)
option with the ipf command, as described in “Loading IPv6 Filter Rules” (page 49).
Rules cannot contain both IPv4 and IPv6 addresses. For example, the following rule is not valid:
pass in proto tcp from 10.1.1.1 to 2001:db8::2
4.3.2 Filtering ICMPv6 Packets
To filter ICMPv6 messages by type and code, specify proto icmpv6 (or proto ipv6icmp)
and use the keywords icmpv6-type and code. See “Filtering ICMPv6 Packets by Type and
Code (icmpv6–type and code)” (page 106) for more information.
4.3.2.1 Stateful ICMPv6
IPFilter can retain state information for ICMPv6 Request-Response messages. The only supported
message types are Echo Request and Echo Reply.
46 Configuring and Loading IPv6 Filter Rules