HP-UX IPFilter Version 17 Administrator's Guide
The following ruleset blocks packets from private address blocks and the loopback address block
received on lan0:
block in quick on lan0 from 192.168.0.0/16 to any
block in quick on lan0 from 172.16.0.0/12 to any
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to any
pass in all
If you have an internal network, you can allow only traffic destined for the network with source
addresses from addresses within that network. If a packet that comes from an address on the
internal network arrives on a dialup interface, it should be blocked by IPFilter.
For example, if your internal network subnet is 20.20.20.0/24, use the following rules to keep
traffic from the internal subnet from passing through on the external lan0 interface:
block in quick on lan0 from 192.168.0.0/16 to any
block in quick on lan0 from 172.16.0.0/12 to any
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to an
block in quick on lan0 from 20.20.20.0/24 to any
pass in all
8.4 Using Bidirectional Filtering
You can use bidirectional filtering to limit packets leaving a system to those that come from a
specific subnet. For example, to limit traffic passing out of the IPFilter system to packets coming
from the 20.20.20.0/24 subnet, configure the following rules:
pass out quick on lan0 from 20.20.20.0/24 to any
block out quick on lan0 from any to any
If a packet originates from IP address 20.20.20.1/32, it is sent out by the first rule. If a packet
originates from IP address 1.2.3.4/32, it is blocked by the second rule.
You can also configure similar rules for non-routable addresses. If a system routes a packet
through IPFilter with a destination of 192.168.0.0/16, you can drop it to save bandwidth. Use the
following ruleset:
block out quick on lan0 from any to 192.168.0.0/16
block out quick on lan0 from any to 172.16.0.0/12
block out quick on lan0 from any to 10.0.0.0/8
This enhances the security of other systems. Spoofed packets cannot be sent from your site.
NOTE: The in and out directions refer to the IPFilter system only.
8.5 Using HP-UX IPFilter with End System Security Features
You can use HP-UX IPFilter on security features on end systems to complement local security
features. The following example is a ruleset configured to run on a system that also uses TCP
Wrapper to protect its network services.
pass in quick on lan0 all
pass out quick on lan0 all
block in log all
block out all
pass in quick proto tcp from any to any port = 113 flags S keep state
pass in quick proto tcp from any to any port = 22 flags S keep state
pass in quick proto tcp from any port = 20 to any port 39999 >
< 45000 flags S keep state
pass out quick proto icmp from any to any keep state
pass out quick proto tcp/udp from any to any keep state keep frags
This IPFilter ruleset provides enhanced protection for the system and services using TCP Wrapper.
Any security holes left by TCP Wrapper are plugged.
8.4 Using Bidirectional Filtering 77