Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
71727374757677787980
8 Tips for Securing Your System
This chapter describes specific configuration procedures for HP-UX IPFilter. It contains concepts
for basic and advanced firewall design using HP-UX IPFilter features.
It contains the following sections:
“Blocking Services by Port Number and Protocol” (page 75)
“Creating a Complete Filter by Interface” (page 76)
“Combining IP Address and Network Interface Filtering” (page 76)
“Using Bidirectional Filtering” (page 77)
“Using HP-UX IPFilter with End System Security Features” (page 77)
NOTE: Most of the information in this chapter has been derived from the IP Filter-based
Firewalls HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this
document at http://www.obfuscation.org/ipf/.
8.1 Blocking Services by Port Number and Protocol
To create a ruleset that explicitly passes packets for a specific service or services, but blocks all
other traffic:
1. Configure pass rules with the quick keyword to allow packets for specific services by port
number and protocol.
2. At the end of the ruleset, configure a rule to block all traffic (block in all).
NOTE: You must use the quick keyword in the pass rules so that IPFilter will stop processing
rules after it has found a rule that matches a packet. Specifying the quick rule enables you to
configure most specific rules first, then less specific rules.
8.1.1 Example: Firewall on a Web Server
For example, to create a firewall on a Web server that will accept connections on TCP port 80
only, configure the following ruleset:
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port = 80
block in all
This system will pass in port 80 traffic for 20.20.20.1 and deny all other traffic. This ruleset provides
a basic firewall.
8.1.2 Example: Firewall for Multiple Services
To configure IPFilter for effective security, use several techniques and building blocks together.
For example, you can configure rules to allow rsh, rlogin, and telnet to run only on your
internal network. Your internal network subnet is 20.20.20.0/24. All three services use specific
TCP ports (513, 514, and 23). Configure the following rules in the order shown:
pass in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 513
pass in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 514
pass in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 23
block in all
Be sure the rules for the services are placed before the block in all rule to block access to
them from systems outside your network.
To block UDP instead of TCP, replace proto tcp with proto udp. For example, you can block
messages for syslog (UDP port 514) with the following rule:
block in log quick on lan0 proto udp from any to 20.20.20.0/24 port = 514
8.1 Blocking Services by Port Number and Protocol 75