HP-UX IPFilter Version A.03.05.14 Administrator's Guide
HP-UX IPFilter and Serviceguard
Using HP-UX IPFilter with Serviceguard
Chapter 10140
Remote Failover
HP-UX IPFilter is a system firewall and as such should be installed on
end systems. Connections to an IPFilter system that are lost during a
remote failover must be reinitiated.
Install and configure HP-UX IPFilter on each node of a Serviceguard
cluster that must be protected. The IPFilter configuration for the
primary node might be different from the configuration for the backup
nodes.
For example, the backup node might be multi-homed and require a
different rule set. Also, rules could be configured to filter on the static IP
address of the receiving node that would be different for each node in the
cluster. Rules that filter on interface names will also be different on
different nodes in a cluster.
Filtering on a Package IP Address
HP-UX IPFilter can filter on a package IP address. The package IP
address is an IP address that corresponds to a logical network interface.
For example, a telnet connection is made to the primary cluster node
with a package IP address of 17.13.24.105. You want to configure
IPFilter to let telnet traffic through. Configure the following rule for
incoming telnet connections made to the telnet package:
pass in proto tcp from any to 17.13.24.105 flags S keep state
You can replace 17.13.24.105 with the package name in this rule if the
package has been configured properly and has a DNS entry.
Configure this rule on the backup nodes as well. This ensures that when
the telnet package fails to a backup, there is a rule on the backup that
lets telnet connections pass through as required.
This type of configuration can be used with any package.
Mandatory Rules
Each node in a Serviceguard cluster has specific rules that must be
configured. These rules ensure that:
• Normal remote failovers are not disrupted.
• No false remote failovers occur because traffic is blocked by IPFilter
that should not be blocked.