Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
919293949596979899100
syslog. The shell command can be an alert mailed to the administrator or an IPFilter command
to update filter rules. For more information, see the ipmon(4) manpage.
NOTE: This is available only on HP-UX 11i v3.
9.3.3.1 Syntax
ipmon -C <ipmon.conf file>
9.3.3.2 ipmon.conf File Syntax
match {<matching rules>} do {<action>}
If an UDP packet is coming from 10.1.1.41 and it is blocked as per configured IPF rules, then
ipmon sends a mail to the root account with the message "blocked UDP packet from 10.1.1.41".
For example:
match { srcip = 10.1.1.41/32, protocol = udp, result = block }
do {execute "/usr/bin/mail -s 'blocked UDP packet from 10.1.1.41' root" };
If an ICMP packet is going to 10.1.1.40 and it is allowed as per configured IPF rules, then ipmon
logs this packet in syslog. For example:
match { dstip = 10.1.1.40/32, protocol = icmp, result = pass }
do { syslog };
If a packet is coming on interface lan4 and it matches to a keep state rule, then ipmon logs it in
syslog and saves the log in a separate file /state_save. For example:
match {interface = lan4, type = state}
do { syslog, save "/state_save" };
9.4 Troubleshooting Tips
This section describes how to troubleshoot an HP-UX IPFilter configuration. It provides
information about possible problems that might occur along with the steps needed to resolve
them.
HP-UX IPFilter is not filtering packets (it passes/allows all network packets).
On HP-UX 11i v3 systems, verify that HP-UX IPFilter is enabled by entering the following
command:
ipfilter -q
If IPFilter is not enabled, enable it by entering the following command:
ipfilter -e
Load the rulesets after enabling IPFilter. See “Loading IPv4 Filter Rules” (page 42),
On all HP-UX versions, verify that HP-UX IPFilter is running by entering the following
command:
ipf -V
The running field should say yes. If it says no, then the HP-UX IPFilter module has not
been loaded. It might have been explicitly unloaded.
To load IPFilter again, use:
/sbin/init.d/ipfboot start
To determine if the HP-UX IPFilter DLKM modules are loaded, execute either the
kmadmin(1M) command on HP-UX 11i v1 or the kcmodule (1M) command on HP-UX 11i
v2 and HP-UX 11i v3. See the respective manpages for more information.
Load the rules and check again that IPFilter works. If it still does not work, reboot the system
and check /etc/rc.log and /var/adm/syslog/syslog.log for errors.
The host does not seem to be on the network and ping messages do not go through.
92 Troubleshooting HP-UX IPFilter