Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
919293949596979899100
Check the rules you have configured using ipfstat -io. This command will display the
active inbound and outbound rules.
NOTE: If you are using /etc/opt/ipf/ipf.conf as your rules file, then IPFilter will
load it at boot time. The IPFilter startup script /sbin/init.d/ipfboot:
Loads the IPFilter module.
Starts the logging daemon, ipmon.
Loads any uncommented rules in the /etc/opt/ipf/ipf.conf file.
Loads any uncommented rules in the /etc/opt/ipf/ipf6.conf if IPv6 is enabled
on the system.
If your rules file blocks packets for network services that last effective rule amounts to “block
in all,” the boot sequence might not complete, for example, when sendmail, SNMP, and NIS
are configured on the system.
Nothing is logged.
Verify the following:
ipf -V should show the logging file as available.
ps -ef|grep ipmonto verify if ipmon is running. During bootup, ipmon is started. If it
is not running, start it by using:
ipmon -s D
The -s option specifies that the log records go to /var/adm/syslog/syslog.log and
the -D option directs ipmon to run as a daemon in the background.
Errors occur when loading rules.
# ipf -f rule_file
ioctl (add/insert rule); File Exists
This occurs when you try to add a rule that is already loaded. Use the following command
to load rules:
ipf -Fa -f rulefile
The -Fa option will flush any previous rules present and all rules will be reloaded.
In addition, you can use ipftest to test a set of filter rules without having to put them in
place. See the ipftest(1) manpage for more information on this tool.
IPFilter rules changed after using Bastille/Install-Time-Security level.
If you configure an IPFilter ruleset-using Install-Time-Security level, or use HP-UX Bastille
interactively to reconfigure IPFilter rules, existing rules will be overwritten. This will change
IPFilter behavior.
To reinsert your rules into the Bastille-setup firewall rules, edit /etc/opt/sec_mgmt/
bastille/ipf.customrules, and run bastille -b -f config file . Alternatively,
to remove all of the security hardening performed by Bastille, including the firewall
configuration, run bastille -r. For more information, see the Bastille documentation.
9.4 Troubleshooting Tips 93