HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Firewall Building Concepts
Using Bidirectional Filtering Capabilities
Chapter 478
Using Bidirectional Filtering Capabilities
You can use bidirectional filtering to limit packets leaving a system to
those that come from a specific subnet. For example, to limit traffic
passing out of the IPFilter system to packets coming from the
20.20.20.0/24 subnet, configure the following rules:
pass out quick on lan0 from 20.20.20.0/24 to any
block out quick on lan0 from any to any
If a packet originates from IP address 20.20.20.1/32, it is sent out by the
first rule. If a packet originates from IP address 1.2.3.4/32, it is blocked
by the second rule.
You can also configure similar rules for unroutable addresses. If a
machine routes a packet through IPFilter with a destination of
192.168.0.0/16, you can drop it to save bandwidth. Use the following
ruleset:
block out quick on lan0 from any to 192.168.0.0/16
block out quick on lan0 from any to 172.16.0.0/12
block out quick on lan0 from any to 10.0.0.0/8
This enhances the security of other systems. Spoofed packets cannot be
sent from your site.
NOTE The in and out directions refer to the IPFilter system only.