HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Rules and Keywords
IPFilter Keywords
Chapter 238
dup-to: Drop-Safe Logging
IPFilter can pass packets on to another system for additional logging,
examination, and processing.
Instead of configuring IPFilter rules to drop packets, you can configure
rules to pass them to another system that can perform more extensive
logging and analysis than ipmon does. A firewall system can have
multiple interfaces. You can create a “drop-safe” for packets using the
dup-to keyword.
For example, to configure IPFilter to send a copy of every packet going
out the lan0 interface to your drop-safe network on ed0, include this rule
in your filter list:
pass out on lan0 dup-to ed0 from any to any
You can also send a packet directly to a specific IP address on your
drop-safe network. For example:
pass out on lan0 dup-to ed0:192.168.254.2 from any to any
This method alters the destination address of the copied packet, which
can negatively impact the usefulness of the IPFilter log. For this reason,
HP recommends only using the known address method of logging to be
certain that the logged address corresponds in some way to the system
for which IPFilter is logging.
In general, dup-to ed0 is all that is required to get a new copy of the
packet over to the drop-safe network for logging and examination.
You could also use this feature to implement an intrusion detection
network by hiding the presence of the intrusion detection system from
the real network so that it cannot be detected from the outside.
In addition, there are some operational characteristics that should be
noted. If you are only dealing with blocked packets, you can use the to
keyword as described in “Using the to Keyword to Capture Blocked
Packets” on page 75. If the system is configured to pass packets, you
should configure rules to make a copy of the packet for the drop-safe log
using the dup-to keyword.