HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Firewall Building Concepts
Improving Performance with Rule Groups
Chapter 4 73
block in log quick on lan0 from any to 20.20.20.255/32 group 1
pass in on lan0 all group 1
pass out on lan0 all
block out quick on lan1 all head 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26
port = 80 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26
port = 21 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.64/26
port = 20 flags S keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.65/32
port = 53 flags S keep state group 10
pass out quick on lan1 proto udp from any to 20.20.20.65/32
port = 53 keep state group 10
pass out quick on lan1 proto tcp from any to 20.20.20.66/32
port = 53 flags S keep state group 10
pass out quick on lan1 proto udp from any to 20.20.20.66/32
port = 53 keep state group 10
For a host on the lan2 network, IPFilter bypasses all the rules in group
10 when a packet is not destined for hosts on that network.
Multi-level grouping is also supported, allowing IPFilter rules to be
arranged in hierarchical, nested groups. By using the head and group
keywords in a rule, multi-level grouping allows the user to fine tune a
range to improve performance. The following is an example of a
multi-level rule grouping:
pass in proto tcp from 1.0.0.0-9.0.0.0 to any port = 23 keep
state head 1
pass in proto tcp from 2.0.0.0-8.0.0.0 to any port = 23 keep
state head 2 group 1
pass in proto tcp from 3.0.0.0-7.0.0.0 to any port = 23 keep
state head 3 group 2
pass in proto tcp from 4.0.0.0-6.0.0.0 to any port = 23 keep
state head 4 group 3
pass in proto tcp from 5.0.0.0-5.5.0.0 to any port = 23 keep
state group 4
You can group your rules by protocol, machine, netblock, or other logical
criteria that help system performance. There is not a hard limit to the
number of group levels you can maintain. For more information, see
Appendix C, “Performance Guidelines,” on page 181.