HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Firewall Building Concepts
Using port and proto to Create a Secure Filter
Chapter 4 79
Using port and proto to Create a Secure Filter
To configure IPFilter for effective security, use several techniques and
building blocks together.
For example, you can configure rules to allow rsh, rlogin, and telnet to
run only on your internal network. Your internal network subnet is
20.20.20.0/24. All three services use specific TCP ports (513, 514, and
23). Configure the following rules in the following order:
pass in quick on lan0 proto icmp from any to 20.20.20.0/24
icmp-type 0
pass in quick on lan0 proto icmp from any to 20.20.20.0/24
icmp-type 11
block in log quick on lan0 proto icmp from any to any
block in log quick on lan0 proto tcp from any to 20.20.20.0/24
port = 513
block in log quick on lan0 proto tcp from any to 20.20.20.0/24
port = 514
block in log quick on lan0 proto tcp from any to 20.20.20.0/24
port = 23
pass in all
Be sure the rules for the services are placed before the pass in all rule
to close them off to systems outside your network.
To block UDP instead of TCP, replace proto tcp with proto udp. The
rule for syslog would then be:
block in log quick on lan0 proto udp from any to 20.20.20.0/24
port = 514
Several services allow you to block by port number for security:
• syslog on UDP port 514
• portmap on TCP port 111 and UDP port 111
• lpd on TCP port 515
• NFS on TCP port 2049 and UDP port 2049
• X11 on TCP port 6000
To get a complete listing of ports being listed on, use netstat -a, or
check /etc/services.