HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Firewall Building Concepts
Combining IP Address and Network Interface Filtering
Chapter 4 77
Combining IP Address and Network Interface
Filtering
If you know that your system will send and receive packets only from
specific IP addresses and interfaces, configure your IPFilter rules to only
allow traffic from those addresses and interfaces.
Also, there are addresses and subnets used for specific purposes on
specific interfaces. The following examples show rulesets that block
packets coming to or from places that should not have traffic.
For example, to block private address space to keep it from entering
lan0:
block in quick on lan0 from 192.168.0.0/16 to any
block in quick on lan0 from 172.16.0.0/12 to any
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to any
pass in all
It is common for software to communicate with itself on 127.0.0.1.
Therefore, it is good practice to block any packets coming from this
address from outside. Also, no packets from 10.0.0.0/8 should come in on
lan0 because such packets cannot have a reply.
If you have an internal network, you can be sure that traffic destined for
the network should only be coming from addresses within that network.
If a packet that comes from an address on the internal network arrives
on a dialup interface, it should be blocked by IPFilter.
For example, if your internal network subnet is 20.20.20.0/24, use the
following rules to keep traffic from this subnet from passing through on
the external lan0 interface:
block in quick on lan0 from 192.168.0.0/16 to any
block in quick on lan0 from 172.16.0.0/12 to any
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to an
block in quick on lan0 from 20.20.20.0/24 to any
pass in all