HP-UX IPFilter Version A.03.05.14 Administrator’s Guide HP-UX 11i v1 and HP-UX 11i v2 December 2006 HP Networking Manufacturing Part Number : B9901-90031 E1206 United States © Copyright 2001-2006 Hewlett-Packard Development Company, L.P.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental, or consequential damages in connection with the furnishing, performance, or use of this material.
Contents Preface: About This Document 1. Installing and Configuring HP-UX IPFilter Overview of HP-UX IPFilter Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Installation and Configuration Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Step 1: Checking HP-UX IPFilter Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . 4 Step 2: Loading HP-UX IPFilter Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents keep frags: Letting Fragmented Packets Pass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . with frags: Dropping Fragmented Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . with short: Dropping Short Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . return-rst: Responding to Blocked TCP Packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . return-icmp: Responding to Blocked ICMP Packets . . . . . . . . . . . . . . . . .
Contents 4. Firewall Building Concepts Blocking Services by Port Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Keep State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protecting SSH Server Connections Using Keep State . . . . . . . . . . . . . . . . . . . . . . . Using Keep State with UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents The ipnat Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 9. HP-UX IPFilter and IPSec IPFilter and IPSec Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPSec UDP Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . When Traffic Appears to Be Blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Allowing Protocol 50 and Protocol 51 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents B. HP-UX IPFilter Static Linking Static Linking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Static Linking of HP-UX IPFilter on HP-UX 11i v1 . . . . . . . . . . . . . . . . . . . . . . . . . 178 Static Linking of HP-UX IPFilter on HP-UX 11i v2 . . . . . . . . . . . . . . . . . . . . . . . . . 180 C. Performance Guidelines System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface: About This Document This document describes how to install, configure, and troubleshoot HP-UX IPFilter version A.03.05.14. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes might be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Publishing History Table 1 Publishing History Details Document Manufacturing Part Number B9901-90031 Operating Systems Supported 11i v1 Supported Product Versions Publication Date A.03.05.14 December 2006 A.03.05.09 February 2004 A.03.05.08 October 2003 A.03.05.08 September 2003 A.03.05.07 June 2003 A.03.05.05 September 2002 11i v2 B9901-90021 11.0 11i v1 11i v2 B9901-90018 11.0 11i v1 B9901-90016 11.0 11i v1 B9901-90014 11.0 11i v1 B9901-90009 11.0 11i v1 11i v1.
Chapter 2 Rules and Keywords Use this chapter to utilize the HP-UX IPFilter configuration files and obtain in-depth information on IPFilter and NAT keywords. Chapter 3 Dynamic Connection Allocation Use this chapter to learn about DCA features, DCA keywords, DCA variables, changing DCA rules dynamically, and setting the DCA mode.
Typographical Conventions This document uses the following conventions. xii audit (5) An HP-UX manpage. In this example, audit is the name and 5 is the section in the HP-UX Reference. On the Web and on the Instant Information CD, it might be a hot link to the manpage itself. From the HP-UX command line, enter man audit or man 5 audit to view the manpage. See man (1). Book Title The title of a book. On the Web and on the Instant Information CD, it might be a hot link to the book itself.
HP-UX Release Name and Release Identifier Each HP-UX 11i release has an associated release name and release identifier. The uname (1) command with the -r option returns the release identifier. This table shows the releases available for HP-UX 11i. Table 2 HP-UX 11i Releases Release Identifier Release Name Supported Processor Architecture B.11.11 HP-UX 11i v1 PA-RISC B.11.22 HP-UX 11i v1.6 Intel® Itanium® B.11.
HP Encourages Your Comments HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. Please send comments to netinfo_feedback@cup.hp.com. Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
1 Installing and Configuring HP-UX IPFilter This chapter describes the procedures to install and configure HP-UX IPFilter software on your system.
Installing and Configuring HP-UX IPFilter 2 • Overview of HP-UX IPFilter Installation • Step 1: Checking HP-UX IPFilter Installation Prerequisites • Step 2: Loading HP-UX IPFilter Software • Step 3: Determining the Rules for IPFilter • Step 4: Adding Rules to the Rules Files • Step 5: Loading IPFilter and NAT Rules • Step 6: Verifying the Installation and Configuration • Supported and Unsupported Interfaces • Troubleshooting HP-UX IPFilter Chapter 1
Installing and Configuring HP-UX IPFilter Overview of HP-UX IPFilter Installation Overview of HP-UX IPFilter Installation The following section summarizes each step in the HP-UX IPFilter installation process. Installation and Configuration Checklist The following checklist provides the sequence of steps you need to complete installation and configuration of HP-UX IPFilter. References to more in-depth information in this manual are also included as part of each step. Step 1.
Installing and Configuring HP-UX IPFilter Step 1: Checking HP-UX IPFilter Installation Prerequisites Step 1: Checking HP-UX IPFilter Installation Prerequisites 1. Be sure your system uses one of the following operating systems: • HP-UX 11i v1 • HP-UX 11i v2 To obtain information about the OS, execute the command: uname -a 2. Install all required patches. IMPORTANT Check the latest HP-UX IPFilter Release Notes for all other patch information.
Installing and Configuring HP-UX IPFilter Step 2: Loading HP-UX IPFilter Software Step 2: Loading HP-UX IPFilter Software Use the following steps to load HP-UX IPFilter software using the HP-UX swinstall program. NOTE If the product is downloaded to the system using swinstall -s | follow step 1, then steps 5 through 12. 1. Log in as root. 2. Insert the software media (disk) into the appropriate drive. 3.
Installing and Configuring HP-UX IPFilter Step 2: Loading HP-UX IPFilter Software View the Install window to read processing data while the software is being installed. The Status field indicates Ready and the Note window opens. The fileset is loaded by swinstall. The estimated time for processing is three to five minutes. 10. Click OK on the Note window to reboot the system. The user interface disappears and the system reboots. 11. After the system reboots, check the log files in /var/adm/sw/swinstall.
Installing and Configuring HP-UX IPFilter Step 3: Determining the Rules for IPFilter Step 3: Determining the Rules for IPFilter Review the IPFilter rule descriptions and examples in Chapter 2, Chapter 4, and Appendix A to determine the appropriate rules for your system. Determine the rules you will configure based on the services running on your system. Determine DCA rules as well. For more information on DCA, see Chapter 3. If you are using NAT, determine the NAT rules you will configure as well.
Installing and Configuring HP-UX IPFilter Step 4: Adding Rules to the Rules Files Step 4: Adding Rules to the Rules Files To add your rules to the /etc/opt/ipf/ipf.conf file (or your chosen rules file) and to the /etc/opt/ipf/ipnat.conf file, use a text editor such as vi. NOTE DCA rules are added along with IPFilter rules in the /etc/opt/ipf/ipf.conf file or your selected rules file. DCA rules can be used with or without IPFilter rules. If using the DCA feature, DCA mode must be turned on.
Installing and Configuring HP-UX IPFilter Step 4: Adding Rules to the Rules Files NOTE IPFilter NAT functionality and the associated commands and utilities are not suppored with IPv6. Filtering rules added to /etc/opt/ipf/ipnat.conf are loaded when the system is booted. If you do not want the rules to load on bootup, place your rules in an alternate location, such as /etc/ipnat.conf. You can then load these rules manually using the ipnat command.
Installing and Configuring HP-UX IPFilter Step 5: Loading IPFilter and NAT Rules Step 5: Loading IPFilter and NAT Rules This section describes how to install rules in the HP-UX IPFilter and NAT rules file to run on your system. Loading IPFilter Rules NOTE The following is a list of commands and file names, some of which are very similar: • ipfboot—The startup script for the ipf module. • /etc/rc.config.d/ipfconf—The configuration file for the ipfboot startup script. • /etc/opt/ipf/ipf.
Installing and Configuring HP-UX IPFilter Step 5: Loading IPFilter and NAT Rules • Flush rules from your ruleset using the -Fa option of the ipf command: ipf -Fa The -Fa option flushes previously configured rules. The -A option specifies the active rules list. For example: ipf -Fa -A -f /etc/opt/ipf/ipf.conf The previous command flushes the previously configured rules, specifies /etc/opt/ipf/ipf.conf as the active rules file, and loads the rules in /etc/opt/ipf/ipf.conf for immediate use.
Installing and Configuring HP-UX IPFilter Step 5: Loading IPFilter and NAT Rules Loading NAT Rules To load IPFilter NAT rules: 1. Add NAT rules to the ipnat.conf file, or to another NAT rules file you select. See “map and portmap: Basic NAT” on page 39 and “The ipnat Utility” on page 101 for information and instructions. 2. Use the following command to load the NAT rules manually: ipnat -CF -f /etc/opt/ipf/ipnat.
Installing and Configuring HP-UX IPFilter Step 6: Verifying the Installation and Configuration Step 6: Verifying the Installation and Configuration After HP-UX IPFilter is installed and you have configured and loaded the rules file, you must verify the installation and configuration. • Verify that HP-UX IPFilter is running using the -v option of the ipf command: ipf -V ipf: HP IP Filter: v3.5alpha5 (A.03.05.07) (312) Kernel: HP IP Filter: v3.5alpha5 (A.03.05.
Installing and Configuring HP-UX IPFilter Step 6: Verifying the Installation and Configuration Additional Configuration Information IPFilter provides additional configuration options, such as the following ndd variables. NOTE 14 Default Value Name Description ipl_buffer_sz Size of the IPFilter logging buffer for /dev/ipl. 8K ipl_suppress If set, does not print identical log records separately, but counts them as Nx, where N is the number of times the log record occurs.
Installing and Configuring HP-UX IPFilter Supported and Unsupported Interfaces Supported and Unsupported Interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. HP-UX IPFilter is not tested with any third party products.
Installing and Configuring HP-UX IPFilter Supported and Unsupported Interfaces Table 1-1 HP-UX IPFilter Supported Interfaces (Continued) HP-UX IPFilter Version Supported Interfaces A.03.05.09 • Ethernet (10Base-T) A.03.05.08 • Fast Ethernet (100Base-T) A.03.05.07 • Gigabit Ethernet (1000Base-T) A.03.05.06 • APA • VLAN • FDDI • Token Ring The following interfaces are unsupported (not protected by HP-UX IPFilter) on any HP-UX IPFilter releases: 16 • ATM • Hyperfabric • X.
Installing and Configuring HP-UX IPFilter Troubleshooting HP-UX IPFilter Troubleshooting HP-UX IPFilter This section describes how to troubleshoot an HP-UX IPFilter configuration. It provides information about possible problems that might occur along with the steps needed to resolve them. • HP-UX IPFilter is not filtering (it passes/allows all network traffic). Verify whether HP-UX IPFilter is running using ipf -V. The running field should say yes.
Installing and Configuring HP-UX IPFilter Troubleshooting HP-UX IPFilter If you are using /etc/opt/ipf/ipf.conf as your rules file, then it will be loaded at boot time. The IPFilter startup script /sbin/init.d/ipfboot will: NOTE — Load the IPFilter module. — Start the logging daemon, ipmon. — Load any uncommented rules present in /etc/opt/ipf/ipf.conf.
Installing and Configuring HP-UX IPFilter Troubleshooting HP-UX IPFilter • IPFilter rules changed after using Bastille/ Install-Time-Security level. If you configure an IPFilter ruleset-using Install-Time-Security level, or use HP-UX Bastille interactively to reconfigure IPFilter rules, existing rules will be overwritten. This will change IPFilter behavior. To reinsert your rules into the Bastille-setup firewall rules, edit /etc/opt/sec_mgmt/bastille/ipf.customrules, and run bastille -b -f .
Installing and Configuring HP-UX IPFilter Troubleshooting HP-UX IPFilter 20 Chapter 1
2 Rules and Keywords This chapter describes the basic procedures and building blocks used to create filtering rules for HP-UX IPFilter.
Rules and Keywords It contains the following sections: • IPFilter Configuration Files • Basic Rules Processing • IPFilter Keywords — pass and block: Controlling IP Traffic — in and out: Bidirectional Filtering — quick: Optimizing IPFilter Rules Processing — on: Filtering by Network Interfaces — from and to: Filtering by IP Addresses and Subnets — log: Tracking Packets on a System — proto: Controlling Specific Protocols — opt and ipopts: Filtering on IP Options — icmp-type: Filtering ICMP Traffic by Ty
Rules and Keywords NOTE Chapter 2 Most of the information in this chapter has been derived from the IPFilter-based Firewalls HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this document at http://www.obfuscation.org/ipf/.
Rules and Keywords IPFilter Configuration Files IPFilter Configuration Files HP-UX IPFilter has two files it uses for configuration. IPFilter Rules The HP-UX IPFilter rules file is named /etc/opt/ipf/ipf.conf. The UNIX configuration file conventions allow one rule per line. The number symbol (#) denotes a comment at the beginning of a line as well as a rule and a comment on the same line. Extra white space is allowed and encouraged to keep the rules readable.
Rules and Keywords Basic Rules Processing Basic Rules Processing Rules are processed in order from top to bottom of the rules file. If the contents of your rules file are as follows, IPFilter processes the rules in the order they appear from top to bottom: block in all pass in all IPFilter does not stop processing rules after a match is made. Instead, it acts on the last rule that matches a packet being checked.
Rules and Keywords IPFilter Keywords IPFilter Keywords IPFilter rules are built using keywords and parameters that combine to filter packets coming in and out of a system. The following sections describe the keywords that form the basic building blocks of IPFilter rules. These sections include the purpose of the keywords and examples of how to use them in rules. NOTE For more information about IPFilter rule syntax, see the ipf (5) manpage.
Rules and Keywords IPFilter Keywords NOTE If you do not specify any out rules, the implied default is pass out all. If you do not specify any in rules, the implied default is pass in all. quick: Optimizing IPFilter Rules Processing HP-UX IPFilter behaves differently from other packet filters. Because it processes the whole ruleset for each packet, there might be a performance impact if your rules file is configured so that the most applicable rules are in the first 10 of 100 rules.
Rules and Keywords IPFilter Keywords from and to: Filtering by IP Addresses and Subnets IPFilter can pass or block packets based on both source and destination IP addresses. It can also filter on subnets. To configure IPFilter to pass or block packets based on their source IP address, use the from ip_address keyword. For example: block in quick from 192.168.0.0 to any For traffic coming from any address within a subnet, you can use from with the following subnet address syntax: block in quick from 192.
Rules and Keywords IPFilter Keywords You can combine specific from ip_address and to ip_address keywords to restrict traffic based on both source and destination IP addresses. You can also filter traffic using both IP addresses and network interface names. For example, you want data from lan0, but not from 192.168.0.0/16. Configure the following rules: block in quick on lan0 from 192.168.0.
Rules and Keywords IPFilter Keywords proto: Controlling Specific Protocols IPFilter can filter traffic based on protocol, such as TCP or ICMP, using the proto keyword. For example, many Denial of Service (DoS) attacks rely on glitches in the TCP/IP stack of the OS, in the form of ICMP packets. To block ICMP packets, add the proto command to your ruleset as follows: block in log quick on lan0 proto icmp from any to any In this example, any ICMP traffic coming in from lan0 will be logged and discarded.
Rules and Keywords IPFilter Keywords icmp-type: Filtering ICMP Traffic by Type You can filter specific types of ICMP traffic using the icmp-type keyword. This is a useful keyword if you want to block most ICMP traffic to prevent DoS attacks, but must allow certain types of ICMP messages to pass to your system. For example if you want to specifically allow ping messages to pass on your system, configure the following rule: pass in quick on lan0 proto icmp from any to 20.20.20.
Rules and Keywords IPFilter Keywords TYPE 4 CODE icmp-type icmp-code MEANING 10 host-prohib destination host administratively prohibited [RFC1256] 11 net-tos network unreachable for TOS [RFC792] 12 host-tos host unreachable for TOS [RFC792] 13 filter-prohib prohibited by filtering [RFC1812] 14 host-preced host precedence violation [RFC1812] 15 cutoff-preced precendence cutoff in effect [RFC1812] 0 squench SOURCE QUENCH redir REDIRECT 5 network host network & TOS host & TOS 8 0
Rules and Keywords IPFilter Keywords TYPE icmp-type icmp-code CODE MEANING 14 0 timestrep TIMESTAMP REPLY 15 0 inforeq INFO REQUEST (obsolete) 16 0 inforep INFO REPLY (obsolete) 17 0 maskreq ADDRESS MASK REQUEST 18 0 maskrep ADDRESS MASK REPLY Rule order is important if you are using the icmp-type keyword with the quick keyword. Place pass rules before block rules in the ruleset to be sure the correct packets are passed.
Rules and Keywords IPFilter Keywords Operand Alias Result <= le true if port is less than or equal to configured value >= ge true if port is greater than or equal to configured value keep state: Protecting TCP, UDP, and ICMP Sessions Use keep state to identify and authorize individual TCP, UDP, and ICMP sessions that pass multiple packets back and forth. keep state enables IPFilter to distinguish legitimate traffic from port scanners and DoS attacks. IPFilter maintains a state table.
Rules and Keywords IPFilter Keywords The following rules also work for UDP and ICMP: block in quick on lan0 all pass out quick on lan0 proto tcp from 20.20.20.1/32 to any keep state pass out quick on lan0 proto udp from 20.20.20.1/32 to any keep state pass out quick on lan0 proto icmp from 20.20.20.
Rules and Keywords IPFilter Keywords NOTE To use the flags
Rules and Keywords IPFilter Keywords return-rst: Responding to Blocked TCP Packets When you use the block keyword as described in “pass and block: Controlling IP Traffic” on page 26, the blocked packet is dropped and no response is sent to the remote system the packet. This can be a security risk, because it might alert an attacker that a packet filter is running on the system. When a service is not running on a UNIX system, it normally notifies the remote host with a return packet.
Rules and Keywords IPFilter Keywords dup-to: Drop-Safe Logging IPFilter can pass packets on to another system for additional logging, examination, and processing. Instead of configuring IPFilter rules to drop packets, you can configure rules to pass them to another system that can perform more extensive logging and analysis than ipmon does. A firewall system can have multiple interfaces. You can create a “drop-safe” for packets using the dup-to keyword.
Rules and Keywords NAT Keywords NAT Keywords The following section describes keywords specific to NAT functionality. NOTE The maximum number of concurrent connections NAT can support is 16,383. map and portmap: Basic NAT Use the map keyword to create basic IPFilter NAT rules. If you do not know the IP address of the target systems, configure the following rule: map lan0 192.168.1.
Rules and Keywords NAT Keywords bimap: Bidirectional Mapping The bimap keyword allows IPFilter to map IP addresses bidirectionally. This can be used when you want the IP address of a particular device on the NAT-supported system to display as having a different IP address outside the system. The following rule demonstrates the bimap property: bimap lan0 192.168.1.1/32 -> 20.20.20.1/32 In the previous example, devices with IP address 192.168.1.
Rules and Keywords NAT Keywords You can use the rdr keyword to implement load-balancing systems and redirect traffic to multiple destination addresses. For example: rdr lan0 20.20.20.5/32 port 80 -> 192.168.0.5,192.168.0.6 port 8000 map-block: Mapping to a Block of Addresses IPFilter NAT can map an IP address to a specific block of IP addresses in two ways. You can use the map-block keyword to statically map sessions from a host to a selected block of IP addresses.
Rules and Keywords NAT Keywords 42 Chapter 2
3 Dynamic Connection Allocation This chapter describes Dynamic Connection Allocation (DCA). It includes DCA keywords, rule syntax and conditions, and variables. It also contains procedures for changing DCA rules dynamically and setting DCA mode at startup.
Dynamic Connection Allocation This chapter contains the following sections: • DCA with HP-UX IPFilter — Overview: DCA Functionality — Using DCA • DCA Keywords — keep limit: Limiting Connections — log limit: Logging Exceeded Connections — log limit freq: Log Frequency • DCA Rule Syntax • DCA Rule Conditions • keep limit Rules and Rule Hits • DCA Rule Modifications — Updating keep limit Rules — Adding New keep limit Rules — Integrating keep limit Rules — Extracting an Individual Rule from a Subnet
Dynamic Connection Allocation DCA with HP-UX IPFilter DCA with HP-UX IPFilter An HP-UX IPFilter system can act as a secure intermediary, tracking all incoming TCP connections to a system or network. DCA lets you limit incoming TCP connections passing through an IPFilter system. DCA uses stateful packet inspection to limit the number of incoming TCP connections to a system. To use DCA functionality, be sure DCA mode is enabled. For more information, see “DCA Mode” on page 61.
Dynamic Connection Allocation DCA with HP-UX IPFilter — ipf -E — ipf -D — ipf -m
Dynamic Connection Allocation DCA Keywords DCA Keywords The following section describes keywords specific to DCA. For additional information about DCA rule syntax and rule conditions, see “DCA Rule Syntax” on page 52 and “DCA Rule Conditions” on page 53. keep limit: Limiting Connections Use the keep limit keyword to limit the number of connections made to an IPFilter system at a given time. Connections can be limited by IP address, subnet, cumulative limit of connections, and a default individual limit.
Dynamic Connection Allocation DCA Keywords For example: pass in quick proto tcp from 192.168.5.0/24 to any port = 25 keep limit 4 The example rule limits the maximum concurrent connections to 4 from any individual host in subnet 192.168.5.0/24 to port 25 of any host.
Dynamic Connection Allocation DCA Keywords For example: pass in quick proto tcp from 192.168.7.0/24 to any port = 25 keep limit 15 cumulative The example rule limits the cumulative concurrent connections to 15 from all hosts in subnet 192.168.7.0/24 to port 25 of any host.
Dynamic Connection Allocation DCA Keywords • Summary Log records—created when a limit entry ceases to exist after all the connections for that limit entry have been closed. This log record summarizes the connection activity of a particular IP address.
Dynamic Connection Allocation DCA Keywords In the example summary log, the source IP address displayed is actually the IP address range specified in the rule. Wildcard IP addresses are shown as 0.0.0.0. The destination port information is also printed from the rule. The other fields are similar to a non-cumulative summary record. For further information, see “ipmon and DCA Logging” on page 95.
Dynamic Connection Allocation DCA Rule Syntax DCA Rule Syntax The following is the complete syntax for creating a DCA rule: pass [return-rst] in [log limit [freq ]] quick proto tcp from to [port = port_num] keep limit [cumulative] NOTE 52 Be sure to use the quick keyword in all DCA rules.
Dynamic Connection Allocation DCA Rule Conditions DCA Rule Conditions DCA rules must conform to the following conditions: Chapter 3 • The rule must be a quick rule. • The rule must be an in rule. • The rule can be used only with proto tcp. • The log limit and log limit freq # rules can only be used with the keep limit rule. • The source port must be a wildcard (*). • Port ranges are not allowed for source ports.
Dynamic Connection Allocation keep limit Rules and Rule Hits keep limit Rules and Rule Hits For each new packet, every time there is a rule match, the hit count for that rule is incremented. The rule does not have to be the final matching rule. Some examples are: • A rule is a matching, non-quick rule. If another rule match is later found on the list, both hit counts are incremented. • A rule is a matching group head. If a matching rule is found within the group, both hit counts are incremented.
Dynamic Connection Allocation DCA Rule Modifications DCA Rule Modifications The following sections describe how to modify DCA rules when HP-UX IPFilter is running. NOTE HP recommends configuring a redundant rule, such as pass in all, in all DCA rules files. IPFilter does not process packets without a rule. To modify an active rules file: 1. Run the following command: ipf -f 2. Add new rules to the rules file. DCA begins processing incoming packets with the new rules as you add them.
Dynamic Connection Allocation DCA Rule Modifications 2. Run the following command to switch the active rules file with the inactive rules file you modified: ipf -s When you modify an inactive rules file, then switch it with an active rules file, DCA processes new connections according to the new rules file whether or not there are existing connection limit entries in the limit table.
Dynamic Connection Allocation DCA Rule Modifications For example, the original rule is: pass in quick proto tcp from 14.13.45.0-14.13.45.255 to any keep limit 10 cumulative To decrease the limit to 5, add the following new rule: pass in quick proto tcp from 14.13.45.0-14.13.45.255 to any keep limit 5 cumulative DCA detects a similar rule in the ruleset, but the limit count has changed. DCA updates the limit count in the original rule and waits until the current number of connections drops to 5.
Dynamic Connection Allocation DCA Rule Modifications 2. Delete the old rule. To Add a New Subnet or IP Address Range Rule: 1. Add the new rule on the line before the old rule which the new rule is to replace. 2. Delete the old rule. Limit entries made by the old rule are updated when a new connection is processed. New connections are processed with the new rule. To add a more specific subnet or IP address range rule, see the following section, Integrating keep limit Rules.
Dynamic Connection Allocation DCA Variables DCA Variables The following sections provide information on the fr_statemax, fr_limitmax, and fr_tcpidletimeout variables, and how to use the kmtune command to configure each of these variables. fr_statemax The purpose of the fr_statemax variable is to restrict how many state entries can be created. Configure the values of this variable appropriately for your environment. The following table displays the default and minimum values for fr_statemax.
Dynamic Connection Allocation DCA Variables When the number of states created reaches the fr_statemax limit, HP-UX IPFilter will try to free up state entries and increments the maximum counter. If HP-UX IPFilter fails to free up state entries, then no more state entries are created. The maximum counter is incremented each time a state entry is to be created but the state table is full. If the state table is full, the connection is let through but no state entry is created.
Dynamic Connection Allocation DCA Mode DCA Mode The DCA mode can be disabled, enabled, queried, or toggled between disabled and enabled by using the ipf -m
Dynamic Connection Allocation DCA Mode 62 Chapter 3
4 Firewall Building Concepts This chapter describes specific configuration procedures for HP-UX IPFilter. It contains concepts for basic and advanced firewall design using HP-UX IPFilter features.
Firewall Building Concepts It contains the following sections: NOTE 64 • Blocking Services by Port Number • Using Keep State • Using Keep State with UDP • Using Keep State with ICMP • Logging Techniques • Improving Performance with Rule Groups • Localhost Filtering • Using the to Keyword to Capture Blocked Packets • Creating a Complete Filter by Interface • Combining IP Address and Network Interface Filtering • Using Bidirectional Filtering Capabilities • Using port and proto to C
Firewall Building Concepts Blocking Services by Port Number Blocking Services by Port Number To create a ruleset that explicitly passes packets for a specific service or services, but blocks all other traffic: 1. Configure the first rule to block all traffic. 2. Configure subsequent rules pass packets to specific services by port number.
Firewall Building Concepts Using Keep State Using Keep State The keep state keyword must be used with other IPFilter keywords and filtering techniques so that IPFilter completely and correctly makes an entry in the state table. If you configure rules to both filter on TCP flags and keep state, you must be sure you configure the rules correctly. In most cases, you should use the keep state keyword on the first rule that interacts with a packet for a connection.
Firewall Building Concepts Using Keep State To protect an SSH server using the keep state keyword, use the following ruleset: pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port = 22 keep state pass out quick on lan0 proto tcp from any to any keep state block in quick all block out quick all With this ruleset, IPFilter enters the first packet of a connection in the state table. Other processing works as expected.
Firewall Building Concepts Using Keep State with UDP Using Keep State with UDP You can configure IPFilter rules for UDP connections using the keep state keyword. An entry is added to the state table for UDP connections, the same as with a TCP connection acted on by a rule with the keep state keyword.
Firewall Building Concepts Using Keep State with ICMP Using Keep State with ICMP The majority of ICMP messages are status messages generated by a failure in UDP or TCP. For any ICMP error status message that matches an active state table entry that might have generated that message, IPFilter passes the ICMP packet.
Firewall Building Concepts Logging Techniques Logging Techniques The log keyword tells IPFilter to log packets matching the rule to the IPFilter logging device, /dev/ipl. To read the log, run the ipmon utility. See “The ipmon Utility” on page 93 for more information. You can use the ipmon -s command to log the information in /dev/ipl to syslog. You can use the following advanced options with the log keyword to refine the log IPFilter creates.
Firewall Building Concepts Logging Techniques Example: block in log level auth.info quick on lan0 from 20.20.20.0/24 to any block in log level auth.alert quick on lan0 proto tcp from any to 20.20.20.0/24 port = 21 first You can use the first option with the log keyword to log only the first instance of a certain type of packet. For example, it might not be important to log 500 attempts to probe your telnet port from one source. It is a good idea to log the first attempt, however.
Firewall Building Concepts Improving Performance with Rule Groups Improving Performance with Rule Groups Rule groups allow you to write your ruleset in a tree structure, instead of as a linear list, so that if an incoming packet is unrelated to a set of rules, those rules will never be processed. This reduces IPFilter processing time on each packet and improves IPFilter system performance.
Firewall Building Concepts Improving Performance with Rule Groups block in log quick on lan0 from any to 20.20.20.255/32 group 1 pass in on lan0 all group 1 pass out on lan0 all block out quick on lan1 all head 10 pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10 pass out quick on lan1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state group 10 pass out quick on lan1 proto tcp from any to 20.20.20.
Firewall Building Concepts Localhost Filtering Localhost Filtering Use localhost filtering with IPFilter to provide both security and convenience for your users. Localhost filtering with IPFilter can be used effectively in conjunction with other security products, such as external firewalls and internal software products. The following example is a ruleset configured to run on a machine that also uses TCP Wrapper to protect its network services.
Firewall Building Concepts Using the to Keyword to Capture Blocked Packets Using the to Keyword to Capture Blocked Packets You can use the to keyword apart from the from keyword. If you want to block a packet, you can use the to keyword to push the packet past the normal routing table and force it to go out on a different interface.
Firewall Building Concepts Creating a Complete Filter by Interface Creating a Complete Filter by Interface When you create a ruleset, you should set up rules for all directions and all interfaces. The default state of IPFilter is to pass packets both in and out. Instead of relying on the IPFilter default behavior, make every ruleset as specific as possible, interface by interface, until all possibilities are explicitly covered.
Firewall Building Concepts Combining IP Address and Network Interface Filtering Combining IP Address and Network Interface Filtering If you know that your system will send and receive packets only from specific IP addresses and interfaces, configure your IPFilter rules to only allow traffic from those addresses and interfaces. Also, there are addresses and subnets used for specific purposes on specific interfaces.
Firewall Building Concepts Using Bidirectional Filtering Capabilities Using Bidirectional Filtering Capabilities You can use bidirectional filtering to limit packets leaving a system to those that come from a specific subnet. For example, to limit traffic passing out of the IPFilter system to packets coming from the 20.20.20.0/24 subnet, configure the following rules: pass out quick on lan0 from 20.20.20.0/24 to any block out quick on lan0 from any to any If a packet originates from IP address 20.20.20.
Firewall Building Concepts Using port and proto to Create a Secure Filter Using port and proto to Create a Secure Filter To configure IPFilter for effective security, use several techniques and building blocks together. For example, you can configure rules to allow rsh, rlogin, and telnet to run only on your internal network. Your internal network subnet is 20.20.20.0/24. All three services use specific TCP ports (513, 514, and 23).
Firewall Building Concepts Using port and proto to Create a Secure Filter 80 Chapter 4
5 HP-UX IPFilter Utilities This chapter describes IPFilter utilities.
HP-UX IPFilter Utilities NOTE 82 • The ipfstat Utility • The ipmon Utility • The ipftest Utility • The ipnat Utility • Unsupported Utilities and Commands Most of the information in this chapter has been derived from the IP Filter-based Firewalls HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this document at http://www.obfuscation.org/ipf/.
HP-UX IPFilter Utilities The ipf Utility The ipf Utility The ipf utility performs a broad range of actions on the active and inactive IPFilter rulesets. You can use ipf to add rules, delete rules, switch active and inactive rulesets, and flush the existing ruleset from the system. You can perform other actions with ipf. See the ipf manpages for more information.
HP-UX IPFilter Utilities The ipf Utility -m Disables or enables DCA mode, queries the DCA mode, or toggles DCA between being enabled or disabled by using the following options: • d Disables DCA. • e Enables DCA. • q Queries whether DCA is disabled or enabled. • t Toggles DCA between disabled or enabled. When there are no keep limit rules and there is no connection allocation, disable DCA. See “DCA Mode” on page 61 for more information about how to disable, enable, query, or toggle DCA.
HP-UX IPFilter Utilities The ipf Utility For a complete list of ipf options and their uses, see the ipf (5) and ipf (8) manpages.
HP-UX IPFilter Utilities The ipfstat Utility The ipfstat Utility The ipfstat utility displays a table of data detailing firewall performance, including how many packets have been passed or blocked, whether the packets were logged or not, how many state entries have been made, and DCA statistics. You can also use options with ipfstat to display active rules. Syntax ipfstat <-options> Options -i Displays currently loaded rules for inbound packets. -o Displays currently loaded rules for outbound packets.
HP-UX IPFilter Utilities The ipfstat Utility Displays detailed global limit statistics. -r Displays the limit statistic by rule number. -v Sets verbose mode. Use for debugging. NOTE Statistics counters cannot increment when both active in and out rule sets are empty. This is due to a performance optimization that bypasses IPFilter when there are no active rule sets present. For a complete list of options used with ipfstat, see the ipfstat manpage.
HP-UX IPFilter Utilities The ipfstat Utility Fastroute successes: TCP cksum fails(in): Packet log flags set: none 0 0 (0) failures: (out): 0 0 The TCP Connections statistics are derived from the number of states added and is valid only in the context of stateful filtering. These statistics will be accurate only when keep limit or keep state rules are used for all TCP connections.
HP-UX IPFilter Utilities The ipfstat Utility # ipfstat -on @0:1 pass out on lan0 from any to any @0:2 block out on ppp0 from any to any @0:3 pass out quick on ppp0 proto tcp/udp from 20.20.20.0/24 to any keep state keep frags The following example uses the -s option to display the state table. # ipfstat -s 281458 TCP 319349 UDP 0 ICMP 19780145 hits 5723648 misses 0 maximum 0 no memory 0 bkts in use 1 active 319349 expired 281419 closed A TCP connection has one state entry.
HP-UX IPFilter Utilities The ipfstat Utility The following is an example of the output information of the ipfstat -sl option: #ipfstat -sl empty list for ipfilter(out) 1 pass in quick proto tcp from 15.13.106.175/32 to any keep state # ipfstat -sl 15.13.106.175 -> 15.13.137.
HP-UX IPFilter Utilities The ipfstat Utility • Log Failures is the number of times log entries have not been logged. A non-zero, positive value for Log Failures indicates that the size of the kernel log buffer is small. The kernel log buffer ipl_buff_sz should be set to an appropriate value. • Limits Added is the number of limit entries that have been added. • Add Failures is the number of times a limit entry could not be created. This happens when a state entry is not added.
HP-UX IPFilter Utilities The ipfstat Utility S—IP subnet C—Cumulative U—Unknown IP These limit entries are created through the default rule. See “DCA Keywords” on page 47 for detailed information on the different types of limit entries. • The Rule column displays the rule number that caused the creation of this limit entry. This information can in turn be used to get per-rule statistics using the ipfstat -r command. • The third through sixth columns display IP-port pairs of the TCP connection.
HP-UX IPFilter Utilities The ipmon Utility The ipmon Utility Use the ipmon utility to monitor IPFilter while it is in use. You can use ipmon to watch the packet log, as created with the log keyword in the IPFilter rules. ipmon can also monitor the state log, the NAT log, or any combination of these three. You can run ipmon in the foreground or as a daemon that logs to syslog or a file. Syntax ipmon <-options> Options -a Opens and reads data from all available log files. Equivalent to -o NSI.
HP-UX IPFilter Utilities The ipmon Utility For a complete list of ipmon options and their uses, see the ipmon manpage. Examples To view the state table as it updates, use the ipmon -o S command. Example: # ipmon -o S 01/08/1999 15:58:57.836053 STATE:NEW 100.100.100.1,53 ->20.20.20.15,53 PR udp 01/08/1999 15:58:58.030815 STATE:NEW 20.20.20.15,123 ->128.167.1.69,123 PR udp 01/08/1999 15:59:18.032174 STATE:NEW 20.20.20.15,123 ->128.173.14.71,123 PR udp 01/08/1999 15:59:24.570107 STATE:EXPIRE 100.100.100.
HP-UX IPFilter Utilities The ipmon Utility • Field 3—Rule group number: rule number of the rule that acted on the packet • Field 4—Blocked (b) or Passed (p) packet • Field 5—Packet origin • Field 6—Packet destination • Field 7 and 8—Protocol used • Field 9—Packet size • Field 10—Flags set on packet Run the ipfstat -in command to determine which rule caused the problem. In this example, you would use this command to look at rule 2 in rule group 0.
HP-UX IPFilter Utilities The ipmon Utility You can use ipmon -r to print the summary records to the log file for all existing limit entries that are active. For example, you have the following rule configured: pass in log limit quick proto tcp from IP1 to Server keep limit 10 If IP1 creates 70 connections, then 10 connections are let through and remaining 60 are blocked, which is the block count. When ipmon -r is called, a summary record is logged to the summary log records and the block count is set to 0.
HP-UX IPFilter Utilities The ipftest Utility The ipftest Utility Use the ipftest utility to test your ruleset in user space without compromising the security of your IPFilter system. The ipftest utility can be run by a non-root user. The ipftest utility tests a ruleset using a set of packet descriptions that simulate real network traffic. Actions taken by IPFilter on each simulated packet are written to stdout.
HP-UX IPFilter Utilities The ipftest Utility The following packets will be used to test this rule set: in on lan0 udp 10.1.84.195,16000 10.1.84.196,16000 in on lan1 udp 10.1.84.195,16000 10.1.85.196,16000 in on lan0 udp 10.1.84.195,16000 10.1.80.196,16000 in on lan0 udp 10.1.85.195,16000 10.1.84.196,16000 in on lan1 udp 10.1.85.195,16000 10.1.85.196,16000 in on lan0 udp 10.1.85.195,16000 10.1.80.196,16000 out on lan0 udp 10.1.84.196,16000 10.1.84.195,16000 out on lan1 udp 10.1.85.196,16000 10.1.84.
HP-UX IPFilter Utilities The ipftest Utility -------------input: in on lan0 udp 10.1.84.195,16000 10.1.80.196,16000 pass ip 28(20) 17 10.1.84.195,16000 > 10.1.80.196,16000 -------------input: in on lan0 udp 10.1.85.195,16000 10.1.84.196,16000 block ip 28(20) 17 10.1.85.195,16000 > 10.1.84.196,16000 -------------input: in on lan1 udp 10.1.85.195,16000 10.1.85.196,16000 block ip 28(20) 17 10.1.85.195,16000 > 10.1.85.196,16000 -------------input: in on lan0 udp 10.1.85.195,16000 10.1.80.
HP-UX IPFilter Utilities The ipftest Utility input: in on lan0 icmp 10.1.84.195 10.1.84.196 pass ip 48(20) 1 10.1.84.195 > 10.1.84.196 -------------input: out on lan0 udp 10.1.80.196,16001 10.1.84.195,16000 nomatch ip 28(20) 17 10.1.80.196,16001 > 10.1.84.195,16000 -------------input: out on lan0 udp 10.1.80.196,16001 10.1.85.195,16000 nomatch ip 28(20) 17 10.1.80.196,16001 > 10.1.85.195,16000 -------------input: in on lan0 udp 10.1.84.195,16000 10.1.80.196,16001 pass ip 28(20) 17 10.1.84.195,16000 > 10.1.
HP-UX IPFilter Utilities The ipnat Utility The ipnat Utility Use the ipnat utility to view and load NAT rules. The default NAT rules file is /etc/opt/ipf/ipnat.conf. Syntax ipnat Options -f Reads rules from a specified rules file. -l Views NAT rules and active mappings. -C Flushes the current ruleset. -F Removes active mappings. -r Removes rules from the NAT rules file. Example Enter the following command: ipnat -CF -f /etc/opt/ipf/ipnat.
HP-UX IPFilter Utilities Unsupported Utilities and Commands Unsupported Utilities and Commands HP does not support the following public domain IPFilter utilities and commands: • Rule keywords — fastroute • Commands — ipscan — ipsyncs — ipsyncm — ipfs — ipsend — ipresend • 102 Application proxy Chapter 5
6 HP-UX and IPv6 Support This chapter describes IPv6 support in HP-UX IPFilter.
HP-UX and IPv6 Support 104 • Product Installation and Dependencies • Rules Configuration • Commands • New Features for IPv6 • Command and Configuration Examples • Installation Details and Dependencies • Features Not Supported with IPv6 • Key Points to Note Chapter 6
HP-UX and IPv6 Support Using IPv6 Support in HP-UX IPFilter Using IPv6 Support in HP-UX IPFilter IPv6 support has been added to HP-UX IPFilter. The functionality is mostly equivalent to IPv4 functionality in HP-UX IPFilter. There are some differences, which are described in this chapter. Product Configuration No new software modules or filesets have been introduced in the IPv6 version. The current version of HP-UX IPFilter has been enhanced to include IPv6 functionality.
HP-UX and IPv6 Support Using IPv6 Support in HP-UX IPFilter Similarly, rules cannot mix IPv4 and IPv6 addresses. For example, the following rule is not valid: pass in proto tcp from 101.11.23.1 to 3ffe::2 Filter Rules The syntax of basic filter rules is not changed for IPv6. The same set of keywords applies and has the same effect.
HP-UX and IPv6 Support Using IPv6 Support in HP-UX IPFilter ipf The ipf command is used to manipulate IPFilter rules. The ipf command with options has the capability of reading, deleting, or swapping rules.
HP-UX and IPv6 Support Using IPv6 Support in HP-UX IPFilter ipfstat The ipfstat command generates packet filter statistics and filter lists. It also uses the -6 option for IPv6, but only for the following operations: • -i—Lists IN rules • -o—Lists OUT rules • -h—Lists rule hits For example, to list the IN rule hits for IPv6, use the following command: ipfstat -6 -ih ipmon There are no major changes to logging for IPv6.
HP-UX and IPv6 Support Using IPv6 Support in HP-UX IPFilter ICMPv6 filtering ICMPv6 filtering must be carefully configured to ensure that an IPv6 network functions properly. For example, do not block Neighbor Discovery messages (type 135 and 136). Other examples of critical ICMPv6 messages are Destination Unreachable (type 1) and Packet Too Big (type 2). HP-UX IPFilter enables you to uniquely identify an ICMPv6 message using its type and code. A new keyword, icmpv6-type, is introduced.
HP-UX and IPv6 Support Using IPv6 Support in HP-UX IPFilter • Routing options header (routing) • Authentication header (ah) • IPSec header (esp) • IPv6 header for tunneled packets(IPv6) (ipv6) • IPv6 fragment (frags) Currently, filtering is available to either block or pass packets with designated extension headers.
HP-UX and IPv6 Support Using IPv6 Support in HP-UX IPFilter Fragmentation Unlike IPv4, a fragment cache is not maintained for IPv6 fragments. It is possible to filter IPv6 fragments using the “with v6hdrs frags” keywords.
HP-UX and IPv6 Support Using IPv6 Support in HP-UX IPFilter Key Points to Note • If the -6 option is not specified in the ipf and ipfstat commands, the operation is applied to IPv4 rules. • IPv6 filtering is enabled only if IPv6 interfaces are configured. • The following separate files for IPv4 and IPv6 are loaded during boot: — IPv4: opt/ipf/ipf.conf — IPv6: opt/ipf/ipf6.conf Rules can be loaded from any other file, but IPv4 and IPv6 rules should not be loaded from the same file.
7 HP-UX IPFilter and FTP This chapter describes how to filter FTP services.
HP-UX IPFilter and FTP CAUTION 114 • FTP Basics • WU-FTPD on HP-UX • Running an FTP Server • Running an FTP Client NAT and FTP are incompatible. If you are using FTP on your IPFilter system, do not use NAT rules.
HP-UX IPFilter and FTP FTP Basics FTP Basics The File Transfer Protocol (FTP) is a user-level protocol for transferring files between host computers. An FTP session involves two separate connections: • Control connection 1. The server listens for client connections on port 21. 2. The client opens a connection to the server port 21 on a client port above 1023. 3. The client uses this connection to send commands to, and receive replies from, the server. This connection lasts through the FTP session.
HP-UX IPFilter and FTP WU-FTPD on HP-UX WU-FTPD on HP-UX The HP implementation of the FTP daemon for HP-UX 11i core networking is based on the WU-FTPD daemon, version 2.4. Additional security correction has been added to WU-FTPD 2.6.1. HP recommends upgrading to WU-FTPD 2.6.1 for enhanced security. For systems on HP-UX 11.0, you can upgrade to WU-FTPD 2.6.1 from either the legacy FTP version that is delivered with the core networking products on 11.0, or from WU-FTPD 2.
HP-UX IPFilter and FTP Running an FTP Server Running an FTP Server This section describes active FTP and passive FTP server setup. Active FTP FTP Server Direction of Connection Initiated FTP Client port 21 control port <---------------- any port 1024 or higher port 20 data port ----------------> any port 1024 or higher On an FTP server using active FTP, configure IPFilter rules to allow control connections in and data connections out.
HP-UX IPFilter and FTP Running an FTP Server To use IPFilter to protect passive FTP sessions, you must limit the port range your system can use for FTP access. For example, you can allocate ports 15001-15500 as FTP ports and only open up that range of your firewall. In WU-FTPD, you use the passive ports directive in the /etc/ftpaccess configuration file to designate the ports, as follows: passive ports 15001 15500 See the ftpaccess (4) manpage for details on WU-FTPD configuration.
HP-UX IPFilter and FTP Running an FTP Client Running an FTP Client As with FTP servers, there are two types of FTP client transfers, active and passive. Active FTP FTP Server Direction of Connection Initiated FTP Client port 21 control port <---------------- any port 1024 or higher port 20 data port ----------------> any port 1024 or higher To let an FTP client open an active FTP session, configure IPFilter rules to allow control connections out and data connections in.
HP-UX IPFilter and FTP Running an FTP Client Passive FTP FTP Server Direction of Connection Initiated FTP Client port 21 control port <---------------- any port 1024 or higher any port 1024 or higher data port <---------------- any port 1024 or higher To let an FTP client open a passive FTP session, configure IPFilter to allow both the control and data connections out.
8 HP-UX IPFilter and RPC This chapter describes the use of RPC with IPFilter.
HP-UX IPFilter and RPC 122 • Introduction • Quick Start Information • Configuration Files Chapter 8
HP-UX IPFilter and RPC Introduction Introduction The script information and configuration files in this chapter are designed to allow a system running IPFilter/9000 to run server processes that use the Remote Procedure Call (RPC) mechanism. The purpose is to automate the construction of appropriate IPFilter rules for RPC server processes that do not use a fixed port number, but register their port numbers with rpcbind instead.
HP-UX IPFilter and RPC Quick Start Information Quick Start Information To use RPC with IPFilter: 1. Copy the sample file to /etc/rc.config.d/rpc_ipfconf cp rpc_ipfconf.sample /etc/rc.config.d/rpc_ipfconf Edit the file as needed. 2. Create the rpc.ipf directory and change to that directory. mkdir /etc/opt/ipf/rpc.ipf cd /etc/opt/ipf/rpc.ipf 3. Create an empty RPC rules file. touch /etc/opt/ipf/rpc.ipf/rpc.rules 4. Start the script configuration. ./rpc.
HP-UX IPFilter and RPC Configuration Files Configuration Files Rules Files This section gives details on the two rules files that contain the IPFilter rules. The two rules files are: NOTE • The IPFilter rules file specified in $IPF_CONF in /etc/rc.config.d/ipfconf • The IPFilter RPC rules file specified in $RPC_RULES_FILE specified in /etc/rc.config.d/rpc_ipfconf See the following section for a description of /etc/rc.config.d/rpc_ipfconf. A sample file is also provided.
HP-UX IPFilter and RPC Configuration Files The /etc/opt/ipf/rpc.ipf/rpc_ipfconf file contains the client list and program list. The sample file grants access to the program numbers listed from the IP addresses and IP subnets listed in the client list. The example shown in the sample file lists the program numbers used by an NFS server, rpc.mountd, rpc.statd, rpc.lockd, and nfsd. This file also has the following declared: • ADD_RPC_IPFILTER_RULES=1 Set this to 1 to configure RPC IPFilter rules.
9 HP-UX IPFilter and IPSec This chapter describes how HP-UX IPFilter and HP-UX IPSec work together.
HP-UX IPFilter and IPSec 128 • IPFilter and IPSec Basics • IPSec UDP Negotiation • When Traffic Appears to Be Blocked • Allowing Protocol 50 and Protocol 51 Traffic • IPSec Gateways Chapter 9
HP-UX IPFilter and IPSec IPFilter and IPSec Basics IPFilter and IPSec Basics IPSec and IPFilter will not panic or corrupt each other. However, there are situations in which one product might block traffic for the other. The following figure shows the positions of IPFilter and IPSec in the network stack: Figure 9-1 IPFilter and IPSec IPSec IPFilter IPFilter, which is below IPSec in the networking stack, filters network packets before they reach IPSec.
HP-UX IPFilter and IPSec IPFilter and IPSec Basics No overlap is in the configurations of IPFilter and IPSec in this network topology, so there are no conflicts in Scenario One. CAUTION 130 HP-UX IPSec does not support NAT traversal. If you are using HP-UX IPFilter with HP-UX IPSec, do not use NAT functionality. However, it is possible that IPFilter and NAT can be used in network configurations containing other vendors’ IPSec products that do support NAT traversal.
HP-UX IPFilter and IPSec IPSec UDP Negotiation IPSec UDP Negotiation You can configure IPSec and IPFilter so that there is some overlap in the configurations. However, you must be sure the overlapping configurations do not block each other. IPSec negotiates between two machines on a connection using the UDP protocol from port 500 and port 4500 if IPSec NAT traversal is used. If the IPFilter configuration is so broad that it is blocking all UDP traffic, then IPSec cannot complete negotiations.
HP-UX IPFilter and IPSec IPSec UDP Negotiation When TCP traffic is initiated from A to B or from B to A, IPSec on both machines communicates through a UDP/500 connection. You must configure IPFilter on machine A to let this traffic through. To do so, add the following rules to your configuration: pass in quick proto UDP from 15.15.15.15 port = 500 to 10.10.10.10 port = 500 pass out quick proto UDP from 10.10.10.10 port = 500 to 15.15.15.
HP-UX IPFilter and IPSec When Traffic Appears to Be Blocked When Traffic Appears to Be Blocked In the following scenario there is overlap in the configurations of IPFilter and IPSec. To get this negotiation through, you must configure IPFilter rules to let TCP traffic through. Figure 9-4 Scenario Three A 10.10.10.10 B 15.15.15.
HP-UX IPFilter and IPSec Allowing Protocol 50 and Protocol 51 Traffic Allowing Protocol 50 and Protocol 51 Traffic IPSec uses Encapsulating Security Payload (ESP) to provide data confidentiality and Authentication Header (AH) to provide data integrity at the IP layer. Depending on a user’s IPSec traffic policy configuration, IPSec inserts ESP, AH, or both as protocol headers into an IP datagram that immediately follows an IP header.
HP-UX IPFilter and IPSec Allowing Protocol 50 and Protocol 51 Traffic If the IPFilter configuration is so broad that it blocks protocol 50 or protocol 51 traffic, then IPSec traffic will not get through. Figure 9-7 Scenario Four A 10.10.10.10 B 15.15.15.15 IPSec <---------------> TCP <-----------------> IPSec IPFilter -----block !TCP----- In Scenario Four, IPSec is configured to encrypt TCP traffic between the two machines and IPFilter is configured to block non-TCP traffic.
HP-UX IPFilter and IPSec IPSec Gateways IPSec Gateways You can configure IPSec to encrypt and authenticate traffic to a gateway between two end hosts. A configuration that encrypts IPSec packets to a gateway is called an IPSec tunnel. IPFilter can coexist with IPSec tunnels without conflict. However, you must configure IPFilter to allow IPSec traffic with the gateway instead of the end node.
10 HP-UX IPFilter and Serviceguard This chapter describes configuration procedures for HP-UX IPFilter used in a Serviceguard environment.
HP-UX IPFilter and Serviceguard It contains the following sections for using HP-UX IPFilter with Serviceguard: • Local Failover • Remote Failover — Filtering on a Package IP Address — Mandatory Rules • 138 DCA Remote Failover Chapter 10
HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard Using HP-UX IPFilter with Serviceguard HP-UX IPFilter supports local failover in a Serviceguard environment. CAUTION NAT functionality is not supported with Serviceguard. Local Failover NOTE See the Serviceguard documentation for information on configuring a local failover system in Serviceguard. IPFilter local failover is transparent to users. Network sessions are not disrupted during failover or failback.
HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard Remote Failover HP-UX IPFilter is a system firewall and as such should be installed on end systems. Connections to an IPFilter system that are lost during a remote failover must be reinitiated. Install and configure HP-UX IPFilter on each node of a Serviceguard cluster that must be protected. The IPFilter configuration for the primary node might be different from the configuration for the backup nodes.
HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard The classes of mandatory rules cover: • Intra-Cluster Communication • Quorum Server • Remote Command Execution • Cluster Object Manager • Serviceguard Manager The following services should not be blocked: hacl-qs 1238/tcp clvm-cfg 1476/tcp hacl-hb 5300/tcp hacl-hb 5300/udp hacl-gs 5301/tcp hacl-cfg 5302/tcp hacl-cfg 5302/udp hacl-probe 5303/tcp hacl-probe 5303/udp hacl-local 5304/tcp hacl-test 5305/tcp hacl-dlm 5408/tcp NOTE
HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard For a simplified HP-UX IPFilter configuration, use the following rules: pass in quick from to any pass out quick from any to For more restrictive HP-UX IPFilter configurations, use the following rules to allow only the required cluster services to pass through: pass in quick proto tcp from to port 5299 >< 5305 flags S keep state pass in quick proto udp from to
HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard Running the cmscancl command requires the “shell” port be open.
HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard In the previous set of rules, are all nodes in the cluster, is the specific remote node, and are all other nodes outside the cluster that are designated in the cmclnodelist file for remote command access. Running the cmscancl command requires the “shell” port be open.
HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard Serviceguard Manager If you are using the station-management version of Serviceguard Manager, you must configure rules to let SNMP traffic pass between all nodes in the cluster and the Serviceguard Manager node.
HP-UX IPFilter and Serviceguard Using HP-UX IPFilter with Serviceguard entry from any TCP/IP packet, not just a SYN packet. A limit table entry is created. Any new connections that exceed the connection limit are rejected. After the state table entry is created for a particular IP address source/destination and TCP port source/destination 4-tuple, further packets of this connection are processed in the state table entry. These packets are not processed by the rules’ table.
A HP-UX IPFilter Configuration Examples This appendix provides IPFilter configuration examples.
HP-UX IPFilter Configuration Examples IPFilter. You can take useful rules that you find in these examples and copy them into /etc/opt/ipf/ipf.conf, which is your HP-UX IPFilter configuration file. These files are taken from the files provided with the open source IPFilter product.
HP-UX IPFilter Configuration Examples BASIC_1.FW BASIC_1.FW #!/sbin/ipf -f # # SAMPLE: RESTRICTIVE FILTER RULES # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # lan0 - (internal) network interface, address w.x.y.z/32 # # This file contains the basic rules needed to construct a # firewall for the above connections. # #------------------------------------------------------# Block short packets which are packets fragmented too short to # be real packets.
HP-UX IPFilter Configuration Examples BASIC_1.FW # # Deny reserved addresses. # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 block in log quick from 172.16.0.0/12 to any group 100 # # Prevent IP spoofing. # block in log quick from a.b.c.
HP-UX IPFilter Configuration Examples BASIC_1.FW pass in quick proto tcp from any to any port = www keep state group 201 # #------------------------------------------------------block in log proto tcp from any to a.b.c.
HP-UX IPFilter Configuration Examples BASIC_2.FW BASIC_2.FW # SAMPLE: PERMISSIVE FILTER RULES # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # lan0 - (internal) network interface, address w.x.y.z/32 # # This file contains the basic rules needed to construct a # firewall for the above situation. # #------------------------------------------------------# Short packets which are packets fragmented too short to be # real packets.
HP-UX IPFilter Configuration Examples BASIC_2.FW # loopbackinterface should *NOT* exist block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 200 block in log quick from any to 127.0.0.0/8 group 200 #------------------------------------------------------# Allow any communication between the inside network and the # outside only.
HP-UX IPFilter Configuration Examples example.1 example.1 # # block all incoming TCP packets on lan0 from host 10.1.1.1 to # any destination. # block in on lan0 proto tcp from 10.1.1.
HP-UX IPFilter Configuration Examples example.2 example.2 # # block all outgoing TCP packets on lan0 from any host to port # 23 of host 10.1.1.2 # block out on lan0 proto tcp from any to 10.1.1.
HP-UX IPFilter Configuration Examples example.3 example.3 # block all inbound packets. # block in from any to any # # pass through packets to and from localhost. # pass in from 127.0.0.1/32 to 127.0.0.1/32 # # allow a variety of individual hosts to send any type of IP # packet to any other host. # pass in from 10.1.3.1/32 to any pass in from 10.1.3.2/32 to any pass in from 10.1.3.3/32 to any pass in from 10.1.3.4/32 to any pass in from 10.1.3.5/32 to any pass in from 10.1.0.13/32 to any pass in from 10.1.
HP-UX IPFilter Configuration Examples example.4 example.4 # # block all ICMP packets.
HP-UX IPFilter Configuration Examples example.5 example.5 # # test ruleset # # allow packets coming from foo to bar through. # pass in from 10.1.1.2 to 10.2.1.1 # # allow any TCP packets from the same subnet as foo is on # through to host 10.1.1.2 if they are destined for port 6667. # pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets that are NOT from port 53 and are # destined for localhost # pass in proto udp from 10.2.2.
HP-UX IPFilter Configuration Examples example.6 example.6 # # block all TCP packets with only the SYN flag set (this is the # first packet sent to establish a connection) out of the # SYN-ACK pair.
HP-UX IPFilter Configuration Examples example.7 example.7 # block all ICMP packets. # block in proto icmp all # # allow in ICMP echos and echo-replies.
HP-UX IPFilter Configuration Examples example.8 example.8 # # block all incoming TCP connections but send back a TCP-RST # for ones to the ident port # block in proto tcp from any to any flags S/SA block return-rst in quick proto tcp from any to any port = 113 flags S/SA # # block all inbound UDP packets and send back an ICMP error.
HP-UX IPFilter Configuration Examples example.9 example.
HP-UX IPFilter Configuration Examples example.10 example.10 # # pass ack packets (ie established connection) # pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 ... flags A/A pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16... flags A/A # # block incoming connection requests to my internal network # from the internet. # block in on lan0 proto tcp from any to 10.1.0.0/16 flags S/SA # block the replies: block out on lan0 proto tcp from 10.1.0.
HP-UX IPFilter Configuration Examples example.11 example.11 # # allow any TCP packets from the same subnet as foo is on # through to host 10.1.1.2 if they are destined for port 6667. # pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are # destined for localhost # pass in proto udp from 10.2.2.
HP-UX IPFilter Configuration Examples example.12 example.12 # # get rid of all short IP fragments (too small for valid # comparison) # block in proto tcp all with short # # drop and log any IP packets with options set in them.
HP-UX IPFilter Configuration Examples example.13 example.13 # # log all short TCP packets to lan3, with 10.3.3.3 as the # intended destination for the packet. # block in on lan0 to lan3:10.3.3.3 proto tcp all with short # # log all connection attempts for TCP # pass in on lan0 dup-to lan1:10.3.3.3 proto tcp all flags S/SA # # route all UDP packets through transparently. # pass in on ppp0 fastroute proto udp all # # route all ICMP packets to network 10 out through lan1, to # 10.3.3.
HP-UX IPFilter Configuration Examples example.sr example.sr # # # # # # # # # log all inbound packets on lan0 which has IP options present log in on lan0 from any to any with ipopts block any inbound packets on lan0 which are fragmented and "too short" to do any meaningful comparison on. This actually only applies to TCP packets which can be missing the flags/ports (depending on which part of the fragment you see).
HP-UX IPFilter Configuration Examples example.sr # # block any inbound UDP packets destined for these subnets. # block in on lan0 proto udp from any to 10.1.3.0/24 block in on lan0 proto udp from any to 10.1.1.0/24 block in on lan0 proto udp from any to 10.1.2.0/24 # # block any inbound TCP packets with only the SYN flag set that # are destined for these subnets. # block in on lan0 proto tcp from any to 10.1.3.0/24 flags S/SA block in on lan0 proto tcp from any to 10.1.2.
HP-UX IPFilter Configuration Examples firewall firewall #Configuring IP Filter for firewall usage. ========================================= Step 1 - Block out "bad" IP packets. -----------------------------------Run the perl script "mkfilters".
HP-UX IPFilter Configuration Examples server server # # For a network server, which has two interfaces, 128.1.40.1 #(lan0) and 128.1.2.1 (lan1), we want to block all IP spoofing # attacks. lan1 is connected to the majority of the network, # while lan0 is connected to a leaf subnet. # We’re not concerned about filtering individual services # # pass in quick on lan0 from 128.1.40.0/24 to any block in log quick on lan0 from any to any block in log quick on lan1 from 128.1.1.
HP-UX IPFilter Configuration Examples tcpstate tcpstate # # Only allow TCP packets in/out of lan0 if there is an outgoing # connection setup somewhere, waiting for it.
HP-UX IPFilter Configuration Examples BASIC.NAT BASIC.NAT #!/sbin/ipnat -f # # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # lan0 - (internal) network interface, address w.x.y.z/32 # # If only one valid IP address from the ISP, then use this # rule: # map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 map ppp0 w.x.y.z/24 -> a.b.c.d/32 # # If a different dialup IP address is assigned each time, then # use this rule: map ppp0 w.x.y.
HP-UX IPFilter Configuration Examples BASIC.NAT # For ftp to work using the internal ftp proxy, use the # following rule: # map ppp0 w.x.y.z/24 -> a.b.c.
HP-UX IPFilter Configuration Examples nat.eg nat.eg # map all tcp connections from 10.1.0.0/16 to 240.1.0.1, # changing the source # port number to something between 10,000 and 20,000 inclusive. # For all other # IP packets, allocate an IP # between 240.1.0.0 and # 240.1.0.255, temporarily # for each new user. # map lan1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 map lan1 10.1.0.0/16 -> 240.1.0.0/24 # # Redirection is triggered for input packets.
HP-UX IPFilter Configuration Examples nat-setup nat-setup Configuring NAT on your network. ================================ To start setting up NAT, we need to define which is your "internal" interface and which is your "external" interface. The "internal" interface is the network adapter connected to the network with private IP addresses which you need to change for communicating on the Internet. The "external" interface is configured with a valid internet address.
HP-UX IPFilter Configuration Examples nat-setup Or if you wanted to allocate subnets to each IP#, you might do: map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000 map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000 map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000 map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap map ppp0 10.1.3.0/24 -> 209.23.1.
B HP-UX IPFilter Static Linking This appendix provides instructions for statically linking the HP-UX IPFilter kernel modules to the kernel for HP-UX 11i v1 and HP-UX 11i v2.
HP-UX IPFilter Static Linking Static Linking Static Linking IPFilter has two kernel modules, pfil, a streams module and ipf, a WSIO pseudo driver. These are dynamically loadable kernel modules. When IPFilter is installed on an HP-UX system using swinstall, these two modules are loaded and configured as dynamically linked modules. They can be loaded and unloaded when required without shutting down the system as long as the modules are not currently in use.
HP-UX IPFilter Static Linking Static Linking 3. Use the kmsystem command to set the loadable parameter to N. $ kmsystem -l N -c Y ipf $ kmsystem -q ipf Table B-3 Module ipf Configured Y Loadable N $ kmsystem -l N -c Y pfil 4. Use the following command to build the new kernel with the modified configuration: $config /stand/system 5. Use the kmupdate command to prepare the system to boot from the new kernel during the next system shutdown.
HP-UX IPFilter Static Linking Static Linking Static Linking of HP-UX IPFilter on HP-UX 11i v2 Use the following steps to statically link the IPFilter modules to the kernel with HP-UX 11i v2: 1. Set up the IPFilter modules to be statically linked to the kernel using the kcmodule command. The modules will be statically linked at the next system boot. See the kcmodule (1M) manpage for further details. For example: $ kcmodule -K -h -s pfil=static $ kcmodule -K -h -s ipf=static 2. Reboot the system.
C Performance Guidelines This appendix provides performance guidelines for the use of HP-UX IPFilter.
Performance Guidelines You must take operating environment limits in to account when you configure HP-UX IPFilter. HP-UX does not enforce maximum configuration limits to provide flexibility. However, you must take care not to overburden HP-UX IPFilter systems or unpredictable consequences may result.
Performance Guidelines System Configuration System Configuration The following are four suggestions for HP-UX system configuration for optimal performance: Figure C-1 Processing packets through a system Table C-1 Processing Packets through a System Packets from the Internet Packets to the Internet 1 Packets enter the system 5 Packets enter the system 2 Processed by inbound IPFilter processing 6 Processed by inbound IPFilter processing 3 Processed by outbound IPFilter processing 7 Processed
Performance Guidelines System Configuration disabling the intranet interface, using ipf -D lan2 in this example, each packet is processed only once in each direction (2 and 7). Do not disable any interface on an end system. 2. If your system has multiple CPUs and LAN cards, be sure traffic is divided evenly between the CPUs. Interrupt migration and PerfView utilities can be used to determine that traffic is spread evenly between CPUs. 3. Dedicate a CPU to each LAN card, if possible.
Performance Guidelines Rule Loading Rule Loading When you load a large number of new rules to a ruleset, the system must search existing rulesets for duplicate rules. This slows down the loading process. For example, if there is no group rule and there are 5000 rules on the system, the system searches through all 5000 rules to be sure there is no duplication before adding each new rule. HP-UX IPFilter searches for duplicate rules by group.
Performance Guidelines Rule Configuration Rule Configuration To configure IPFilter rules for optimal system performance: • Avoid using return-rst whenever possible. From both security and performance perspectives, it is better for IPFilter to block packets anonymous rather than returning a reset packet with a known address. • Avoid logging whenever possible. Excessive logging can impact both storage and CPU performance on the system. Determine the appropriate logging level for your environment.
Performance Guidelines Rule Configuration keep pass keep pass keep pass keep pass port limit 500 in quick proto tcp limit 500 in quick proto tcp limit 500 in quick proto tcp limit 500 in log limit freq = 23 keep limit 4 from 15.13.104.0/24 to any port = 23 from 15.13.105.0/24 to any port = 23 from 15.13.106.
Performance Guidelines Rule Configuration • Consolidate rules whenever possible, to minimize searching. For example: pass in quick proto 80 pass in quick proto keep limit 44 pass in quick proto 33 pass in quick proto 33 pass in quick proto 33 pass in quick proto any keep limit 44 pass in quick proto limit 44 pass in quick proto limit 44 pass in quick proto limit 44 pass in quick proto any keep limit 44 tcp from 15.13.103.72 to any keep limit tcp from 15.13.103.0-15.13.103.6 to any tcp from 15.13.103.
Performance Guidelines Traffic Traffic To manage IPFilter for optimal system performance: Appendix C • Keep the state entries at a manageable level. Many state entries require many CPU cycles to process them. Too many state entries can cause noticeable degradation on a system. • Keep packet searches on rulesets as short as possible. On a 750-MHz PA-RISC system, a 1000 to 2000 rule search is acceptable. If IPFilter traffic is light, a 5000 rule search is the recommended maximum.
Performance Guidelines Traffic For example, the normal region in Figure C-2 shows normal system operation. The system should not operate in the marginal region for a long period of time. Configure your system to raise an alarm if the system reaches the critical level. Define these criteria based your operating environments.
Performance Guidelines Performance Monitoring Performance Monitoring The performance of an IPFilter system depends primarily on four major factors: • Number and length of rule searches (rule organization) • Types of rules • Network traffic • System configuration Monitor your system performance to ensure proper operation. HP recommends they following: • Use ipfstat -ioh to monitor the rule searches. If a rule has a high hit count, this indicates that the rule can be optimized.
Performance Guidelines Performance Monitoring 192 Appendix C
A active rules list, 11 adding keep limit rules, 57 B bidirectional filtering in keyword, 26 out keyword, 26 bidirectional filtering with IPSec, 132 bimap keyword, 40 block keyword, 26 blocked traffic IPSec correcting, 133 C checklist installation and configuration, 3 commands unsupported, 102 configuration checklist, 3 IPv6, 105 rules file, 24 rules processing, 25 verifying, 13 configuration examples, 149 configuring file conventions, 10, 24 configuring variables, 60 D DCA keywords, 47 logging command, 95
server, 117 WU-FTPD, 116 H high availability, 139 I ICMP error status messages, 69 filtering on, 31 keeping state with, 69 icmp-type keyword, 31 ICMPv6 IPv6, 108 in keyword, 26 inactive rules list, 11 installation checklist, 3 IPv6, 105 loading software, 5 prerequisites, 4 verifying, 13 integrating keep limit rules, 58 interfaces supported, 15 unsupported, 15 interface-specific filtering, 27 interoperability IPSec, 129 IP address filtering by, 28 limiting connections by, 47 ipf, 83 -A option, 11 adding rule
debugging blocked traffic with, 133 gateway, 136 UDP negotiation, 131 IPSec and IPFilter, 129 IPv6 command and configuration examples, 111 configuration, 105 extension headers, 109 features, 108 filter rules, 106 fragmentation, 111 ICMPv6 filtering, 109 installation, 105 installation dependencies, 111 ipf, 107 ipfstat, 108 logging, 108 protocol-based filtering, 106 rules configuration, 105 stateful filtering, 106 stateful ICMPv6, 108 tunneled packets, 110 unsupported features, 111 K kadmin static linking, 1
first option, 71 log limit freq keyword, 51 log limit keyword, 49 logging, 17 drop-safe, 75 IPv6, 108 packets, 29 problems, 18 logging exceeded connections, 49 logging techniques, 70 M map keyword, 39 map-block keyword, 41 memory allocation, 59 modifying DCA rules, 55 monitoring IPFilter, 93 multi-level grouping, 73 N NAT adding rules, 8 viewing and loading rules, 101 NAT keywords bimap, 40 map, 39 map-block, 41 portmap, 39 rdr, 40 Network Address Translation See NAT nslookup, 68 O on keyword, 27 opt keywor
ipopts keyword, 30 IPv6, 105 keep frags keyword, 36 keep limit keyword, 47 keep state keyword, 34, 66 loading with ipf, 8 log keyword, 29, 70 log limit freq keyword, 51 log limit keyword, 49 map keyword, 39 map-block keyword, 41 on keyword, 27 opt keyword, 30 out keyword, 26 outbound traffic, 26 pass keyword, 26 performance improvement with, 72 port keyword, 33 portmap keyword, 39 processing order, 25 proto icmp keep state, 69 proto keyword, 30 quick keyword, 27 rdr keyword, 40 removing, 11 return-icmp keyw
198
