HP-UX IPFilter V17 Release Notes HP-UX 11i v2 and HP-UX 11i v3 HP Part Number: 5900-0396A Published: October 2009 Edition: 1
© Copyright 2001-2009 Hewlett-Packard Development Company, L.P Legal Notices The information contained herein is subject to change without notice. Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. U.S.
Table of Contents 1 About this Product..........................................................................................................7 1.1 Benefits and Features........................................................................................................................7 2 New Features in this Release........................................................................................9 2.1 Rate-Based Filtering..........................................................................
.4 Other Requirements........................................................................................................................17 4.5 Disk Space Required for Installation...............................................................................................18 5 Known Issues and Workarounds................................................................................19 6 Other Product Information........................................................................................
List of Tables 6-1 HP-UX IPFilter Supported Interfaces..........................................................................................
1 About this Product HP-UX IPFilter, product number B9901AA version 17 is a TCP/IP packet filter suitable for use as a system firewall to protect back-end servers. The firewall functions as a security defense by cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product (developed by Darren Reed), HP does not support some of the perimeter firewall features in that release.
• • • • 8 Drops all fragmented traffic if specified by rule Redirects packets for forensic analysis if specified by rule Creates extensive logs when required Supports IPv6 About this Product
2 New Features in this Release IMPORTANT: The following new features are supported on HP-UX 11i v3 only. 2.1 Rate-Based Filtering This feature controls packet flow by defining the rate (packets per second) of matching packets passing through a machine. This feature is useful in case of a SYN/ACK flood. For example, to allow 10 outbound packets per second from any source address to the destination address 10.1.1.42: pass out from any to 10.1.1.42/32 pps 10 2.
You can override the TCP default value when the connection is closed using the fr_tcptimewait tunable, or by using the age option on a per-rule basis. The value specified in the rule gets priority over the tunable value set at system level. The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout. 2.4 Rule Tags 2.4.
syslog. The shell command can be an alert mailed to the administrator or an IPFilter command to update filter rules. For more information, see the ipmon(4) manpage. 2.8 Rule Groups Filter rule groups are enhanced to allow referencing by names in addition to numbers. 2.
3 Fixes in this Release 3.1 Fixes for HP-UX 11i v3 3.1.1 QXCR1000923645—Provide tunable to enable/disable NAT functionality. The new ipnat_enable tunable is provided to enable/disable NAT functionality. By default, this tunable is set to 1. If you do not use NAT functionality, disabling this tunable will improve performance. 3.1.2 QXCR1000923671—Enhancement to list interfaces not covered. The -l option to ipfilter is provided.
3.1.9 QXCR1000971666—ipfboot stop forces ip_forward_directed_broadcasts back to 1 ip_forward_directed_broadcasts is an ndd tunable that enables broadcast messages to pass through the system. When IPFilter is enabled, the IPFilter startup rc script, ipfboot is executed as ipfboot start. The ipfboot script sets the ip_forward_directed_broadcasts value to "0" using the ndd command: /usr/bin/ndd -set /dev/ip ip_forward_directed_broadcasts 0 This value is set to stop broadcast storms for security reasons.
Prior to this fix, if you set the ip_forward_directed_broadcasts value to "0" in nddconf, the ipfboot stop script reset the value back to "1" without referring to the nddconf file. Now, the /etc/rc.config.d/nddconf file is checked when ipfboot stop is executed. If the ip_forward_directed_broadcasts value is set in nddconf to 0 or 1, the ip_forward_directed_broadcasts value in the ipfbot script is not modified with the ndd command. 3.
4 Compatibility Information and Installation Requirements 4.1 Software Requirements The system must have standard HP-UX 11i v2 or HP-UX 11i v3 core products installed. The following patches are required: NOTE: For HP-UX 11i v2, no patches are required, but HP recommends that you install the HP-UX 11i v2 December 2006 update. • • If you are using HP-UX IPFilter IPv6 functionality on 11i v2, you must install the latest Transport GR patch.
pass out quick proto icmpv6 from any to any icmpv6-type 135 pass out quick proto icmpv6 from any to any icmpv6-type 136 The following is additional information about message types 133-136: • • • • 133—Router solicitation 134—Router advertisement 135—Neighbor solicitation 136—Neighbor advertisement 4.5 Disk Space Required for Installation This product requires 10MB of disk space.
5 Known Issues and Workarounds • The startup script for HP-UX IPFilter automatically disables the ip_forward_directed_broadcasts parameter. This keeps the system from being subjected to broadcast-storm attacks that can bring down a network.
6 Other Product Information 6.1 Supported and Unsupported Interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION: For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. HP-UX IPFilter is not tested with any third party products. Table 6-1 HP-UX IPFilter Supported Interfaces IPFilter Version Supported Interfaces HP-UX A.11.xx.
Table 6-1 HP-UX IPFilter Supported Interfaces (continued) IPFilter Version Supported Interfaces Open source versions: • • • • • • • • Ethernet (10Base-T) Fast Ethernet (100Base-T) Gigabit Ethernet (1000Base-T) APA VLAN FDDI Token Ring InfiniBand (supported on HP-UX 11i v2 only) • • • • • • • Ethernet (10Base-T) Fast Ethernet (100Base-T) Gigabit Ethernet (1000Base-T) APA VLAN FDDI Token Ring A.03.05.14 (HP-UX 11i v1 and HP-UX 11i v2) A.03.05.13 (HP-UX 11i v3) A.03.05.12 A.03.05.11.01 A.03.05.10 A.03.
6.2.1 Features Not Supported with IPv6 The following features are not supported with IPv6: • • • • • • Dynamic Connection Allocation (DCA) (the configuration of the IPv6 keep limit rules is not allowed.) IPFilter NAT functionality and the associated commands and utilities The ipftest utility RPC scripts IPFilter group rules Address pools 6.
7 Support and Other Resources 7.1 Contacting HP 7.1.1 Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level 7.1.
• Instant Information documentation CD For information about HP-UX Bastille, see the HP-UX Bastille Version A3.2 User Guide at: http://docs.hp.com/en/internet.html 7.3 Typographic conventions This document uses the following typographical conventions: %, $, or # A percent sign represents the C shell system prompt. A dollar sign represents the system prompt for the Bourne, Korn, and POSIX shells. A number sign represents the superuser prompt. audit(5) A manpage.
