Académique Documents
Professionnel Documents
Culture Documents
Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness
for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental, or consequential
damages in connection with the furnishing, performance, or use of this material.
Warranty A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your
local Sales and Service Office.
U.S. Government License Proprietary computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR
12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed
to the U.S. Government under vendor’s standard commercial license.
Copyright Notice © Copyright 2001–2009 Hewlett-Packard Development Company, L.P. All rights reserved. Reproduction, adaptation, or
translation of this document without prior written permission is prohibited, except as allowed under the copyright laws.
1 Overview.......................................................................................................................19
1.1 Benefits and Features......................................................................................................................19
1.2 Supported and Unsupported Features............................................................................................20
Table of Contents 3
3 Configuring and Loading IPv4 Filter Rules................................................................25
3.1 IPv4 Filter Rules Configuration File................................................................................................27
3.1.1 Format.....................................................................................................................................27
3.1.2 Rule Order and Processing......................................................................................................27
3.2 Basic Rule Syntax: Specifying the Action, Direction, Protocol, IP Addresses, and Ports...............28
3.2.1 pass and block: Specifying the Filter Action...........................................................................28
3.2.2 in and out: Specifying the Filter Direction..............................................................................28
3.2.3 proto: Specifying the Upper Layer Protocol...........................................................................28
3.2.4 from and to: Specifying IP Addresses and Subnets................................................................28
3.2.4.1 Examples.........................................................................................................................29
3.2.4.2 all: Specifying All IP Addresses......................................................................................29
3.2.4.2.1 Example...................................................................................................................29
3.2.5 port: Specifying TCP and UDP Ports......................................................................................29
3.2.5.1 Service Names.................................................................................................................30
3.3 Rate-based Filtering.........................................................................................................................30
3.4 Processing Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces....31
3.4.1 Option Order...........................................................................................................................31
3.4.2 log: Logging Packets................................................................................................................31
3.4.3 quick: Optimizing IPFilter Rules Processing..........................................................................31
3.4.4 on: Filtering by Network Interfaces........................................................................................32
3.5 Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information.....33
3.5.1 Option Order...........................................................................................................................33
3.5.2 flags: Specifying TCP Header Flags........................................................................................33
3.5.3 with opt and ipopts: Specifying IP Options............................................................................34
3.5.3.1 not opt: Specifying Options Not Set................................................................................34
3.5.3.2 ipopts: Specifying Any IP Options..................................................................................34
3.5.4 with frag and with short: Selecting Fragmented IP Packets...................................................35
3.5.4.1 with frag: Selecting IP Packet Fragments........................................................................35
3.5.4.2 with short: Selecting Short Fragments............................................................................35
3.5.5 icmp-type and code: Filtering ICMP Traffic by Type and Code.............................................35
3.5.6 keep state: Protecting TCP, UDP, and ICMP Sessions.............................................................35
3.5.6.1 Allocating Memory for the State Table...........................................................................36
3.5.6.2 Using Keep State with TCP.............................................................................................36
3.5.6.2.1 Idle Timeout............................................................................................................37
3.5.6.3 Using Keep State with UDP............................................................................................37
3.5.6.3.1 Idle Timeout............................................................................................................37
3.5.6.4 Using Keep State with ICMP...........................................................................................37
3.5.6.4.1 Idle Timeout............................................................................................................37
3.5.6.4.2 ICMP Error Status Messages...................................................................................37
3.5.7 State Aging..............................................................................................................................37
3.5.7.1 Rule Examples.................................................................................................................38
3.5.8 keep frags: Handling IP Fragments........................................................................................38
3.6 Sending Responses for Blocked TCP and UDP Packets..................................................................39
3.6.1 return-rst: Responding to Blocked TCP Packets.....................................................................39
3.6.2 return-icmp-as-dest: Responding to Blocked UDP Packets....................................................39
3.7 Improving Performance with Rule Groups ....................................................................................40
3.8 Loading IPv4 Filter Rules................................................................................................................42
3.8.1 Verifying IPv4 Filter Rules......................................................................................................42
3.8.2 Removing IPFilter Rules..........................................................................................................43
3.9 Rule Tags.........................................................................................................................................43
3.9.1 Log Tags...................................................................................................................................43
3.9.2 NAT Tags.................................................................................................................................43
4 Table of Contents
4 Configuring and Loading IPv6 Filter Rules................................................................45
4.1 IPv6 Filter Rules Configuration File................................................................................................45
4.2 Features Not Supported with IPv6..................................................................................................46
4.3 IPv6 Filter Rule Syntax Differences.................................................................................................46
4.3.1 Specifying Addresses..............................................................................................................46
4.3.2 Filtering ICMPv6 Packets........................................................................................................46
4.3.2.1 Stateful ICMPv6..............................................................................................................46
4.3.3 IPv6 Extension Headers..........................................................................................................47
4.3.4 Filtering Tunneled Packets......................................................................................................47
4.3.5 Filtering IPv6 Fragments.........................................................................................................48
4.3.6 Sending ICMPv6 Responses....................................................................................................48
4.4 Loading IPv6 Filter Rules................................................................................................................49
4.4.1 Verifying IPv6 Filter Rules......................................................................................................49
Table of Contents 5
6.1.2.1.1 Inbound Packets......................................................................................................63
6.1.2.1.2 Outbound Packets...................................................................................................64
6.2 NAT Keywords................................................................................................................................65
6.2.1 Rule Examples.........................................................................................................................65
6.3 map and portmap: Mapping Outbound Packets............................................................................66
6.3.1 Examples.................................................................................................................................66
6.3.2 portmap Keyword...................................................................................................................66
6.3.3 map-block: Mapping to a Block of Addresses........................................................................67
6.4 rdr: Redirecting Inbound Packets....................................................................................................68
6.4.1 Redirecting Packets to a Specific Port.....................................................................................68
6.4.2 Using NAT Redirection with Filtering....................................................................................68
6.4.3 Using the rdr and round-robin Keywords for Load Balancing..............................................69
6.4.4 Sticky NAT Sessions................................................................................................................69
6.4.5 Checking Connection Health with l4check..........................................................................69
6.4.5.1 Syntax..............................................................................................................................69
6.4.5.2 Options............................................................................................................................69
6.4.5.3 Sample config File...........................................................................................................70
6.5 bimap: Bidirectional Mapping........................................................................................................71
6.6 Loading NAT Rules.........................................................................................................................72
7 Address Pooling...........................................................................................................73
7.1 The ippool Utility............................................................................................................................73
7.2 The ippool.conf File.........................................................................................................................73
7.3 Configuring Address Pool...............................................................................................................73
7.3.1 Syntax......................................................................................................................................73
7.3.2 Examples.................................................................................................................................74
6 Table of Contents
9.3.2.2 Options............................................................................................................................90
9.3.2.3 Examples.........................................................................................................................90
9.3.2.4 ipmon and DCA Logging................................................................................................91
9.3.3 Analyzing IPFilter Log Events................................................................................................91
9.3.3.1 Syntax..............................................................................................................................92
9.3.3.2 ipmon.conf File Syntax....................................................................................................92
9.4 Troubleshooting Tips.......................................................................................................................92
9.5 Reporting Problems.........................................................................................................................94
A Product Specifications...............................................................................................127
A.1 Configuration Files.......................................................................................................................127
A.1.1 Example Configuration Files................................................................................................127
A.2 Unsupported Features..................................................................................................................128
A.3 Supported Utilities.......................................................................................................................128
A.4 Unsupported Utilities...................................................................................................................128
A.5 Supported and Unsupported Interfaces.......................................................................................128
8 Table of Contents
B.8 example.6.......................................................................................................................................134
B.9 example.7.......................................................................................................................................135
B.10 example.8.....................................................................................................................................135
B.11 example.9.....................................................................................................................................135
B.12 example.10...................................................................................................................................135
B.13 example.11...................................................................................................................................135
B.14 example.12...................................................................................................................................136
B.15 example.13...................................................................................................................................136
B.16 example.sr....................................................................................................................................137
B.17 firewall.........................................................................................................................................138
B.18 server...........................................................................................................................................138
B.19 tcpstate.........................................................................................................................................138
B.20 BASIC.NAT..................................................................................................................................139
B.21 nat.eg...........................................................................................................................................139
B.22 nat-setup......................................................................................................................................140
B.23 ipmon.conf...................................................................................................................................141
B.24 pool.conf......................................................................................................................................141
E Performance Guidelines............................................................................................151
E.1 System Configuration...................................................................................................................151
E.2 Rule Loading.................................................................................................................................152
E.3 Rule Configuration........................................................................................................................152
E.4 Traffic.............................................................................................................................................153
E.5 Performance Monitoring...............................................................................................................154
Index...............................................................................................................................155
Table of Contents 9
List of Figures
14-1 IPFilter and IPSec ........................................................................................................................117
14-2 Scenario One................................................................................................................................117
14-3 Scenario Two................................................................................................................................118
14-4 Scenario Three.............................................................................................................................118
14-5 Packet with Unencrypted TCP Data............................................................................................119
14-6 Packet with IPSec-Encrypted TCP Data .....................................................................................119
14-7 Scenario Four...............................................................................................................................119
E-1 Processing packets through a system..........................................................................................151
E-2 System Operation........................................................................................................................154
10 List of Figures
List of Tables
1 Publishing History Details............................................................................................................17
11-1 ICMP Type and Codes.................................................................................................................101
A-1 HP-UX IPFilter Supported Interfaces........................................................................................129
E-1 Processing Packets through a System..........................................................................................151
11
12
About This Document
This document describes how to install, configure, and troubleshoot HP-UX IPFilter version 17.
The latest version of this document can be found online at http://docs.hp.com.
Intended Audience
This document is intended for network managers or network security administrators who install,
configure, and troubleshoot HP-UX IPFilter on HP 9000 systems. Administrators are expected
to have knowledge of HP-UX operating system concepts, commands, and configuration.
Administrators are also expected to have knowledge of TCP/IP networking concepts and network
configuration.
This document is not a tutorial.
IMPORTANT: The following new features are supported on HP-UX 11i v3 only.
Rate-based filtering This new feature controls packet flow by defining the rate
(packets per second) of matching packets passing through
a machine. For more information, see “Rate-based
Filtering” (page 30).
Address pooling Address pools establish a single reference to name a group
of address/netmask pairs. For more information, see
Chapter 7 (page 73).
ipmon configuration file This new feature simplifies IPFilter log analysis and allows
monitoring for specific log events. For more information,
see “Logging IPFilter Packets” (page 88).
Rule tags NAT and ipf rules can refer to each other with a tag,
creating an implied join that forms part of the packet
matching. For more information, see “Rule Tags” (page 43).
State aging You can override the default values and specify a different
state age in IPFilter rules using age options. For more
information, see “State Aging” (page 37).
Named groups Rule groups can now be referenced by name. For more
information, see “Improving Performance with Rule
Groups ” (page 40).
Sticky NAT sessions NAT sessions can be redirected to the same destination IP
to achieve source IP-based persistence. For more
information, see “Sticky NAT Sessions” (page 69).
The l4check utility The l4check utility monitors for dead IP/port pairs and
dynamically removes them from the list of load balanced
IP addresses. For more information, see “Checking
Connection Health with l4check” (page 69).
Intended Audience 13
Fixes in this Release
Fixes for HP-UX 11i v3
QXCR1000923645—Provide tunable to enable/disable NAT functionality.
The new ipnat_enable tunable is provided to enable/disable NAT functionality. By default,
this tunable is set to 1. If you do not use NAT functionality, disabling this tunable will improve
performance.
QXCR1000888008—The ipfstat -io and ipfilter -q commands return the wrong status.
The ipfstat -io and ipfilter -q commands could show IPFilter status as up and running
when it is not plumbed into the stack. Two new messages have been added:
• IPFilter enabled but not filtering.
• IPFilter enabled and filtering traffic.
QXCR1000926632—The pfilboot script does not unplumb interface when interface is down.
This occurs when IPFilter is disabled and does not recognize a down interface that has the pfil
module loaded. In this case, the pfilboot script does not unplumb all interfaces and unload
the pfil module.
QXCR1000926637—The ipfstat -Q command causes panic when pfil module is not bound
to any interface.
The pfil module is a stream module. When it is not plumbed to any interface and the ipfstat
-Qv command is run, the system panics.
QXCR1000926726—Multicast packets more than 84 bytes are corrupted in IPFilter and dropped
in IP module.
Multicast packets more than 84 bytes are now received properly when IPFilter is enabled.
QXCR1000950055—The ipmon utility does not format IP addresses and protocol correctly.
The IP addresses are formatted as IPv6 addresses when they are IPv4 addresses. Protocol is
displayed as 159 instead of TCP, but can be any other value.
14
/usr/bin/ndd -set /dev/ip ip_forward_directed_broadcasts 1
You can specify ndd tunable values in the /etc/rc.config.d/nddconf file.
Prior to this fix, if you set the ip_forward_directed_broadcasts value to "0" in nddconf,
the ipfboot stop script reset the value back to "1" without referring to the nddconf file. Now,
the /etc/rc.config.d/nddconf file is checked when ipfboot stop is executed. If the
ip_forward_directed_broadcasts value is set in nddconf to 0 or 1, the
ip_forward_directed_broadcasts value in the ipfbot script is not modified with the
ndd command.
QXCR1000926726—Multicast packets more than 84 bytes are corrupted in IPFilter and dropped
in IP module.
Multicast packets more than 84 bytes are now received properly when IPFilter is enabled.
QXCR1000950055—The ipmon utility does not format IP addresses and protocol correctly.
The IP addresses are formatted as IPv6 addresses when they are IPv4 addresses. Protocol is
displayed as 159 instead of TCP, but can be any other value.
Typographic Conventions
This document uses the following typographical conventions:
%, $, or # A percent sign represents the C shell system prompt. A dollar
sign represents the system prompt for the Bourne, Korn, and
POSIX shells. A number sign represents the superuser prompt.
audit(5) A manpage. The manpage name is audit, and it is located in
Section 5.
Typographic Conventions 15
Command A command name or qualified command phrase.
Computer output Text displayed by the computer.
Ctrl+x A key sequence. A sequence such as Ctrl+x indicates that you
must hold down the key labeled Ctrl while you press another
key or mouse button.
ENVIRONMENT VARIABLE The name of an environment variable, for example, PATH.
[ERROR NAME] The name of an error, usually returned in the errno variable.
Key The name of a keyboard key. Return and Enter both refer to the
same key.
Term The defined use of an important word or phrase.
User input Commands and other text that you type.
Variable The name of a placeholder in a command, function, or other
syntax display that you replace with an actual value.
[] The contents are optional in syntax. If the contents are a list
separated by |, you must choose one of the items.
{} The contents are required in syntax. If the contents are a list
separated by |, you must choose one of the items.
... The preceding element can be repeated an arbitrary number of
times.
Indicates the continuation of a code example.
| Separates items in a list of choices.
WARNING A warning calls attention to important information that if not
understood or followed will result in personal injury or
nonrecoverable system problems.
CAUTION A caution calls attention to important information that if not
understood or followed will result in data loss, data corruption,
or damage to hardware or software.
IMPORTANT This alert provides essential information to explain a concept or
to complete a task
NOTE A note contains additional information to emphasize or
supplement important points of the main text.
Related Information
Additional information about HP-UX IPFilter can be found at the http://docs.hp.com in the
Internet and Security Solutions collection under HP-UX IPFilter at:
http://docs.hp.com/en/internet.html#IPFilter
Documents in this collection include:
• HP-UX IPFilter Version 17 Release Notes
• HP-UX IPFilter Version 16 Performance White Paper
For information about HP-UX Bastille, see the HP-UX Bastille user guide. This guide is available
at:
http://docs.hp.com
16
Publishing History
Table 1 Publishing History Details
Manufacturing Part Number Supported Operating Supported Versions Publication Date
Systems
Publishing History 17
18
1 Overview
HP-UX IPFilter, product number B9901AA version 17, is a TCP/IP packet filter suitable for use
as a system firewall. The version strings are as follows:
HP-UX IPFilter functions as a firewall by examining and limiting packets allowed in and out of
an HP-UX system, which can be either an end node or an IP router. Although HP-UX IPFilter is
a superset of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product
(developed by Darren Reed), HP does not support some of the perimeter firewall features in that
release, such as firewall stealth (fastroute). If you are using features that are not supported
by HP, you can request support from the open source IPFilter web site at the following URL:
http://caligula.anu.edu.au/~avalon
For a complete list of commands and utilities that are not supported by HP, see “Supported and
Unsupported Features” (page 20).
HP-UX IPFilter version 17 is available from the HP Software Depot at the following URL:
http://www.software.hp.com.
20 Overview
2 Installing HP-UX IPFilter
This chapter describes the procedures to install and configure HP-UX IPFilter software on your
system. It contains the following sections:
• “Overview of HP-UX IPFilter Installation” (page 21)
• “Step 1: Checking HP-UX IPFilter Installation Prerequisites” (page 21)
• “Step 2: Installing HP-UX IPFilter” (page 21)
• “Step 3: Verifying the Installation” (page 23)
• “Step 4: (Optional) Modifying Kernel Tunable Parameters” (page 23)
This chapter also describes how to remove HP-UX IPFilter software from your system (“Removing
HP-UX IPFilter” (page 23)).
IMPORTANT: Check the latest HP-UX IPFilter Release Notes for all other patch information.
To obtain information about a patch, execute the command:
swlist -l patch patch_id
3. Verify that you have superuser or appropriate HP-UX capabilities.
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX
IPFilter when critical network applications are running.
Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up
only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/
rc.config.d/netconf-ipv6 files. IP addresses not configured in the netconf or
netconf-ipv6 file, such as Serviceguard relocatable IP addresses, are not re-enabled.
Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a
system has several IP interfaces or there is heavy network traffic, the time required to
re-establish network connectivity might be interpreted as a network or card failure. For
example, Serviceguard might interpret a network interruption as a card failure, which can
cause it to reform the cluster.
3. If you are installing HP-UX IPFilter from removable media (disk), insert the media (disk)
into the appropriate drive.
4. Run the swinstall program using the command:
swinstall
The Software Selection window and Specify Source window open.
5. Change the Source Host Name, if necessary, enter the depot directory or the mount point
of the media drive in the Source Depot Path field. Click OK to return to the Software
Selection window. Click Help for more information.
The Software Selection window now contains a list of available software bundles to
install.
6. Highlight the HP-UX IPFilter software for your system type.
7. Select Mark for Install from the Actions menu to select the product to be installed.
With an exception of the manpages, you must install the complete IPFilter product.
8. Select Install from the Actions menu to begin the product installation and open the
Install Analysis window.
9. Click OK in the Install Analysis window when the Status field displays a Ready
message.
10. Click Yes on the Confirmation window to confirm that you want to install the software.
The Install window opens.
The Status field in the Install window to check the status. When the fileset is loaded,
the Statusfield will be Ready and the Note window opens.
The estimated time for processing is three to five minutes.
11. Click OK on the Note window to reboot the system.
The user interface disappears and the system reboots.
12. After the system reboots, check the log files in /var/adm/sw/swinstall.log and /var/
adm/sw/swagent.log to verify that the installation was successful.
NOTE: Do not run the HP-UX IPFilter product when the system is booted in single-user mode.
NOTE: The HP-UX IPFilter installation script disables subnet broadcast packet forwarding by
setting the kernel tunable parameter ip_forward_directed_broadcasts to 0. HP
recommends that you leave this feature disabled unless you have a specific need for your node
to forward subnet broadcast packets. Attackers can use subnet broadcast packet forwarding to
amplify attacks in Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX
IPFilter when critical network applications are running.
Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up
only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/
rc.config.d/netconf-ipv6 files. IP addresses not configured in the netconf or
netconf-ipv6 file, such as Serviceguard relocatable IP addresses, are not re-enabled.
Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a
system has several IP interfaces or there is heavy network traffic, the time required to
25
NOTE: Most of the information in this chapter has been derived from the IPFilter-based Firewalls
HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this document
at the following URL:
http://www.obfuscation.org/ipf/
3.1.1 Format
Entries in IPFilter rule files must meet the following requirements:
• Each rule must be contained on one line. Line continuation characters are not supported.
• IPFilter interprets all text to the right of a number symbol (#) as a comment.
• Extra white space is allowed and encouraged to keep the rules readable.
TIP: Many administrators find it easier to use the quick keyword in each rule and then order
the rules from most specific to least specific.
You can also modify IPFilter rules processing by configuring rule groups. See “Improving
Performance with Rule Groups ” (page 40) for more information.
NOTE: If you do not specify any outbound rules, the implied default is pass out all. If you
do not specify any inbound rules, the implied default is pass in all.
3.2.4.1 Examples
The following rule blocks all inbound packets from the 10.10.10.0 subnet to any IP address:
block in from 10.10.10.0/24 to any
The following rule blocks all inbound packets from the addresses 10.10.10.1, 10.10.10.2, and
10.10.10.3 to any IP address:
block in from 10.10.10.1-10.10.10.3 to any
The following rule blocks all inbound packets with the destination address 192.168.2.1:
block in from any to 192.168.2.1
The following rule blocks all inbound packets that do not have the destination address 10.1.1.1:
block in from any to !10.1.1.1
3.2.4.2.1 Example
block in all
IPFilter expands this rule to block in from any to any.
3.2 Basic Rule Syntax: Specifying the Action, Direction, Protocol, IP Addresses, and Ports 29
Operand Alias Result
TIP: In most cases, it is not necessary to log every passed packet. Administrators often log only
blocked packets, and, in some cases, log only selected blocked packets. HP recommends that
you select the most important rules or the rules that are most likely to block attacks on your
system and log only those rules. Indiscriminate logging can clutter a log file and make it difficult
to detect notable events.
For example, if you want to log blocked packets from a specific subnet, such as 20.20.20.0/24,
use the following rule:
block in log from 20.20.20.0/24 to any
NOTE: You can use the log keyword with several other options to control and enhance logging
functionality and performance. See “Logging IPFilter Packets” (page 88) for more information.
3.4 Processing Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces 31
TIP: Using the quick keyword also enables you to order rules from most specific to least
specific.
NOTE: The interface_name must be a physical interface name, such as lan0. It cannot be
a logical interface name, such as lan0:1.
For example, your system has two interfaces, lan0 and lan1, and you want to block packets
received on the lan0 interface. You configure the following rules:
block in quick on lan0 all
pass in all
The on keyword in the first rule specifies that the rule applies only to packets processed for the
named interface, lan0; because the direction for this rule is in, the rule applies only to inbound
packets received on lan0, which IPFilter blocks. If the system receives an inbound packets on
another interfaces, such as lan1, the first rule does not match. The second rule matches and
IPFilter allows the packet to pass.
You can also filter traffic using both IP addresses and network interface names. For example,
you want IPFilter to allow all inbound packets received from the subnet 192.168.0.0/16 only
if they are received on lan1. Configure the following rules:
pass in quick on lan1 from 192.168.0.0/16 to any
block in from 192.168.0.0/16 to any
The first rule allows packets from the 192.168.0.0/16 subnet to pass if they are received on
the lan1 interface. The on lan1 specification directs IPFilter to pass these packets only if they
are received on the lan1 interface. If the system receives a packet from the 192.168.0.0/16
subnet on any other interface, the packet matches the second rule and IPFilter blocks it.
3.5 Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information 33
If you omit /flags_checked, IPFilter checks all the TCP flags in the packet, so specifying
flags S is equivalent to specifying flags S/AFPRSU, and matches TCP packets that have the
SYN flag set and no other flags set.
To accommodate applications or user protocols that also set the URG or PSH flags when initiating
TCP connections, you can specify flags S/SAFR to allow SYN, SYN URG, or SYN PSH packets
but not allow SYN ACK packets. However, it is more secure to specify flags S (or flags
S/AFPRSU) when specifying flags S/SAFR or flags S/SA is not required.
The flags keyword is typically used with the keep state feature, as described in “Using
Keep State with TCP” (page 36).
3.5.5 icmp-type and code: Filtering ICMP Traffic by Type and Code
You can filter specific types of ICMP traffic using the icmp-type and icmp-code keywords.
These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service
(DoS) attacks, but must allow certain types of ICMP messages in and out of your system. These
keywords are also useful when you want to block traffic from blocks of addresses but want to
allow in ICMP packets required for normal network operation. See Chapter 11 (page 101) for
more information.
3.5 Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information 35
pass out quick proto tcp from 10.1.1.1/32 to any keep state
pass out quick proto udp from 10.1.1.1/32 to any keep state
pass out quick proto icmp from 10.1.1.1/32 to any keep state
For more examples of correct uses of the keep state keyword, see Appendix B (page 131).
NOTE: To configure rules to keep state on any outbound ICMP messages that might receive a
reply ICMP message, you must specify both the proto icmp and the keep state options.
To prevent an attacker from sending ICMP messages through your firewall when an active
connection is known to be in your state table, check the incoming ICMP packet type and code,
if applicable, in addition to the source and destination addresses (and ports, if applicable).
3.5 Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information 37
• ICMP—60 seconds
• UDP—120 seconds
• TCP—120 seconds
You can override the TCP default value when the connection is closed using the fr_tcptimewait
tunable, or by using the age option on a per-rule basis. The value specified in the rule gets priority
over the tunable value set at system level.
The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP
is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout.
IMPORTANT: Use age in TCP rule only in case of a DOS-type attack (ACK flood and so forth)
because it modifies the timeout value of TIME_WAIT state in the TCP state table which can cause
duplicate Initial Sequence Numbers (ISN).
pass out on lan0 proto tcp from any to any port 33434><33690 keep state age 60
In this example, every valid packet is entered into the state table before the blocking rules are
processed. To further protect the system, log initial SYN packets to detect SYN scans.
For a host on the lan2 network, IPFilter bypasses all the rules in group 10 when a packet is
not destined for hosts on that network.
Multi-level grouping is also supported, allowing IPFilter rules to be arranged in hierarchical,
nested groups. By using the head and group keywords in a rule, multi-level grouping allows
the user to fine tune a range to improve performance. The following is an example of a multi-level
rule grouping:
pass in proto tcp from 1.0.0.0-9.0.0.0 to any port = 23 keep state head 1
pass in proto tcp from 2.0.0.0-8.0.0.0 to any port = 23 keep state head 2 group 1
pass in proto tcp from 3.0.0.0-7.0.0.0 to any port = 23 keep state head 3 group 2
pass in proto tcp from 4.0.0.0-6.0.0.0 to any port = 23 keep state head 4 group 3
pass in proto tcp from 5.0.0.0-5.5.0.0 to any port = 23 keep state group 4
You can group your rules by protocol, system, netblock, or other logical criteria that help system
performance. The maximum number of nested group levels you can configure is 128. For more
information, see Appendix E (page 151).
Rule groups can also be referenced by names on HP-UX 11i v3. Referencing groups by name
makes rule configuration more readable and helps in assigning some meaningful group name.
For example, if we have three groups for external network, DMZ network, and protected network,
then we can refer to groups with the following group name:
pass out quick on lan2 proto tcp from any to 20.20.20.164/26 port = 21 flags S keep state group protected-group
NOTE: When you load a ruleset, the new rules affect all matching packets immediately,
including packets for established connections. For example, if you load a new rule that blocks
telnet packets, IPFilter will block all telnet packets, including packets for established
telnet connections. The only exception to this behavior is for packets that match entries
in the IPFilter state table. In this case, IPFilter continues to apply the existing action (pass
or block) for these packets until the state table entry times out or is deleted (such as when
the connection is closed).
• To flush all rules from your ruleset, use the ipf -Fa command:
ipf -Fa
• IPFilter maintains an active ruleset and an inactive ruleset. The active ruleset is the ruleset
used for IPFilter operations, and the inactive ruleset is a supplementary, reserve ruleset.
By default, IPFilter applies the flush (-F) and file (-f) operations to the active ruleset. You
can also explicitly direct IPFilter to apply an operation to the active ruleset with the -A
option. For example:
ipf -Fa -A -f /etc/opt/ipf/ipf.conf
This command flushes the all previously configured rules (-Fa), reads the rules in the /etc/
opt/ipf/ipf.conf file (-f), and loads these rules as the active rules (-A).
• To apply the ipf action to the inactive ruleset, specify the -I option. For example, the
following command flushes all rules in the inactive ruleset and adds rules from the/etc/
opt/ipf/ipf.conf file to the inactive rule set:
ipf -IFa -f /etc/opt/ipf/ipf.conf
• To swap the current active ruleset with the new inactive ruleset, specify the -s option:
ipf -s
• To selectively flush only the inbound rules, specify the -Fi option. For example:
ipf -Fi
• To selectively flush only the outbound rules, specify the -Fo option. For example:
ipf -Fo
You can also specify the -Fi or -Fo option with a filename. This flushes the inbound or
outbound rules from the current ruleset, then reads in the rules from the specified file. For
example:
ipf -Fo -f /etc/opt/ipf/ipf.conf
NOTE: Extension headers are matched explicitly. A packet with only a destination option
header will not match the previous rule. Only packets with both mobility and destination option
headers will match the rule.
NOTE: When you load a ruleset, the new rules affect all matching packets immediately, including
packets for established connections. For example, if you load a new rule that blocks telnet
packets, IPFilter will block all telnet packets, including packets for established telnet
connections. The only exception to this behavior is for packets that match entries in the IPFilter
state table. IPFilter will continue to apply the existing action (pass or block) for these packets
until the state table entry times out or is deleted (such as when the connection is closed).
For more examples of commands to manage and load rulesets, see “Loading IPv4 Filter Rules”
(page 42) and “The ipf Utility” (page 95).
NOTE: On HP-UX 11i v1 systems, DCA is not supported with IPv6 addresses.
This chapter contains the following sections:
• “DCA with HP-UX IPFilter” (page 52)
— “Overview: DCA Functionality” (page 52)
• “DCA Rules Configuration Files” (page 52)
• “DCA Rule Syntax and Keywords” (page 53)
— “DCA Rule Conditions” (page 53)
— “keep limit: Limiting Connections” (page 53)
— “return-rst: Returning RESET Packets” (page 54)
— “cumulative: Limiting Cumulative Connections” (page 54)
— “log limit: Logging Exceeded Connections” (page 54)
— “log limit freq: Log Frequency ” (page 55)
• “Loading and Modifying DCA Rules” (page 57)
— “Updating keep limit Rules” (page 57)
— “Adding New keep limit Rules” (page 58)
— “Integrating keep limit Rules” (page 58)
— “Extracting an Individual Rule from a Subnet Rule” (page 59)
• “Enabling and Disabling DCA” (page 60)
— “Enabling and Disabling DCA Using ipf” (page 60)
— “Configuring IPFilter to Enable DCA at System Startup Time” (page 60)
• “Using IPFilter Utilities with DCA” (page 60)
— “keep limit Rules and Rule Hits” (page 61)
• “Monitoring and Allocating Memory for DCA Data” (page 62)
51
5.1 DCA with HP-UX IPFilter
An HP-UX IPFilter system can act as a secure intermediary, tracking all incoming TCP connections
to a system or network. DCA lets you limit incoming TCP connections passing through an IPFilter
system. You can use DCA to limit the number of inbound connections based on the source IP
address and optionally, the destination TCP port number. After a legal TCP connection is
established, DCA uses TCP state information to allow subsequent packets for the connection to
pass.
NOTE: To use DCA functionality, you must explicitly enable DCA mode. For more information,
see “Enabling and Disabling DCA” (page 60). DCA functionality does not work if DCA mode
is not enabled.
DCA uses IPFilter state table entries. To function correctly, you must have sufficient memory
allocated for the IPFilter state table. See “Monitoring and Allocating Memory for DCA Data”
(page 62).
IMPORTANT: The default individual connection limit must be the last rule in the configuration
file.
NOTE: Unlike noncumulative limits, cumulative summary logs are not printed when all the
connections under a cumulative limit are closed.
The following is an example cumulative summary log:
06/02/2004 19:32:39.370000 LIMIT LOG 19.13.15.65-19.13.15.85,*
-> 0.0.0.0,23 PR ip Type 4 Cur Lim 1 Exceeded 1 @0:1 First Time
19:32:35.800000
The example log record was written for the following IP address range cumulative rule:
pass in log limit freq 1 quick proto tcp from
19.13.15.65-19.13.15.85 to any port = 23 keep limit 1 cumulative
In the example summary log, the source IP address displayed is actually the IP address range
specified in the rule. Wildcard IP addresses are shown as 0.0.0.0. The destination port
information is also printed from the rule. The other fields are similar to a noncumulative summary
record.
For further information, see “ipmon and DCA Logging” (page 91).
NOTE: HP recommends configuring a redundant rule (such as pass in all) in all DCA rule
files. IPFilter does not process packets without a rule.
To load DCA rules, use the ipf utility to read the new rules from a file:
ipf -f rules_file
To load IPv6 DCA rules, specify the -6 option:
ipf -6-f rules_file
NOTE: When you load a ruleset, the new rules normally affect all matching packets immediately,
including packets for established connections. However, IPFilter creates state table entries for
packets matching DCA rules, and if the DCA rule is noncumulative, IPFilter continues to apply
the action in the state table for subsequent packets that match the state table entry until the state
table entry times out or is deleted.
To force a new rule to take effect immediately, follow the procedures described in “Updating
keep limit Rules” (page 57). Alternately, use the following procedure to modify an inactive rules
file and switch it with the active rules file:
1. Enter the following command to add or modify rules in an inactive rules file:
ipf [-6] -If rules file
2. Run the following command to switch the active rules file with the inactive rules file you
modified:
ipf [-6] -s
When you modify an inactive rules file, then switch it with an active rules file, DCA processes
new connections according to the new rules file whether or not there are existing connection
limit entries in the limit table.
TIP: For performance-critical applications, HP recommends that you load rules into the inactive
list, then switch the inactive rules file with the active rules file.
NOTE: When there are no keep limit rules and no connection allocation configured, HP
recommends that you disable DCA.
NOTE: NAT rules are not supported with IPv6 addresses or interfaces.
6.1.1 Format
Entries in IPFilter rule files must meet the following requirements:
• Each rule must be contained on one line. Line continuation characters are not supported.
• IPFilter interprets all text to the right of a number symbol (#) as a comment.
• Extra white space is allowed and encouraged to keep the rules readable.
NOTE: The selection algorithm that IPFilter uses for NAT rules (use the first matching rule) is
the opposite of the default selection algorithm it uses for filter rules (use the last matching rule).
NOTE: The maximum number of concurrent NAT connections IPFilter supports is 16,383.
IMPORTANT: Use age in TCP rule only in case of a DOS-type attack (ACK flood and so forth)
because it modifies the timeout value of TIME_WAIT state in the TCP state table which can cause
duplicate Initial Sequence Numbers (ISN).
pass out on lan0 proto tcp from any to any port 33434><33690 keep state age 60
6.3.1 Examples
The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the
address 20.20.20.1 and transmits the packets using the lan0 interface:
map lan0 192.168.1.0/24 -> 20.20.20.1/32
The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the
current IP address for the lan0 interface, then transmits them using lan0:
map lan0 192.168.1.0/24 -> 0/32
6.4.3 Using the rdr and round-robin Keywords for Load Balancing
You can use the rdr keyword with the round-robin keyword to implement load-balancing
systems and redirect traffic to multiple addresses. Separate the target addresses with a comma.
For example:
rdr lan0 20.20.20.5/32 port 80 -> 192.168.0.5,192.168.0.6 port 8000 round-robin
You can specify only two target addresses in each round-robin rule, but you can configure
two rdr rules for the same interface, for a total of four target addresses. IPFilter will load balance
the packets equally between all four target addresses. For example:
rdr lan0 0.0.0.0 -> 192.168.0.1,192.168.0.2 round-robin
rdr lan0 0.0.0.0 -> 192.168.0.3,192.168.0.4 round-robin
6.4.5.1 Syntax
l4check -f <config file>
6.4.5.2 Options
-n Stops action. No NAT rules are added or deleted.
-v Turns on verbose output.
IMPORTANT: Pools defined in the configuration file must have an associated role. The only
supported role is ipf.
For more information and examples, see the ippool(4) manpage.
7.3.2 Examples
The following example creates an address pool using the tree storage format that is referenced
in the IPF rule which allows packets from this pool.
table role = ipf type = tree name = mypool
{ 10.1.1.41/32; 10.1.1.42/32; 192.168.1.0/24; }
74 Address Pooling
8 Tips for Securing Your System
This chapter describes specific configuration procedures for HP-UX IPFilter. It contains concepts
for basic and advanced firewall design using HP-UX IPFilter features.
It contains the following sections:
• “Blocking Services by Port Number and Protocol” (page 75)
• “Creating a Complete Filter by Interface” (page 76)
• “Combining IP Address and Network Interface Filtering” (page 76)
• “Using Bidirectional Filtering” (page 77)
• “Using HP-UX IPFilter with End System Security Features” (page 77)
NOTE: Most of the information in this chapter has been derived from the IP Filter-based
Firewalls HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this
document at http://www.obfuscation.org/ipf/.
NOTE: You must use the quick keyword in the pass rules so that IPFilter will stop processing
rules after it has found a rule that matches a packet. Specifying the quick rule enables you to
configure most specific rules first, then less specific rules.
NOTE: When setting up your ruleset, be sure that you add rules for all appropriate directions
and interfaces.
NOTE: The in and out directions refer to the IPFilter system only.
79
9.1 Viewing IPFilter Statistics and Active Rules with ipfstat
The ipfstat utility displays IPFilter statistics, including how many packets have been passed
or blocked, whether the packets were logged or not, how many state entries have been made,
and DCA statistics. You can also use options with ipfstat to display active rules.
9.1.1 Syntax
ipfstat [-options]
9.1.2 Options
For a complete list of ipfstat options, see the ipfstat manpage. If you do not specify any options,
ipfstat displays total packet counts for all rules and general statistics.
-6 Shows the output for IPv6 rules. This option is valid only with the following
options, and must be specified before the other options:
• -i
• -o
• -h
• -r
• -vL
If you do not specify the -6 option, these commands show the output for
IPv4 rules only.
For example, to list the active inbound and outbound (-io) IPv6 rules, use
the following command:
ipfstat -6 -io
-i Displays the active rules for inbound packets. If you specify this option
with the -6 option, ipfstat displays the IPv6 rules; if you specify this
option without the -6 option, it displays the IPv4 rules.
-o Displays the active rules for outbound packets. If you specify this option
with the -6 option, ipfstat displays the IPv6 rules; if you specify this
option without the -6 option, it displays the IPv4 rules.
-h Displays the active rules and the number of matching packets (hit count)
for each rule. Use with the -i or -o options.
-s Displays state table statistics.
-sl Displays detailed state table statistics.
-n When used with the -i or -o options, it displays the rules, preceded by
group number and rule number in the format
@group_number:rule_number.
-L Displays global limit statistics.
-Lv Displays detailed (verbose) global limit statistics. If you specify this option
with the -6 option, ipfstatdisplays the IPv6 rule statistics; if you specify
this option without the -6 option, it displays the IPv4 rule statistics.
-Q Displays the interfaces protected by IPFilter. Interfaces not supported by
IPFilter are not displayed. This option is supported for HP-UX 11i v3 only.
For a list of interface types supported by IPFilter, see “Supported and
Unsupported Interfaces” (page 128).
-r group:rule Displays the limit statistic by rule number. If you specify this option with
the -6 option, ipfstatdisplays the IPv6 rule; if you specify this option
without the -6 option, it displays the IPv4 rule.
NOTE: Statistics counters cannot increment when both active in and out
rulesets are empty. This is due to a performance optimization that bypasses
IPFilter when there are no active rulesets present.
9.1.3 Examples
# ipfstat
dropped packets: in 0 out 0
non-data packets: in 0 out 0
no-data packets: in 0 out 0
non-ip packets: in 0 out 0
bad packets: in 0 out 0
copied messages: in 0 out 0
input packets: blocked 15 passed 2647 nomatch 2537 counted 0
short 0
output packets: blocked 0 passed 245 nomatch 141 counted 0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
TCP connections: in 5 out 50
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 5 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 14 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
The TCP Connections statistics are derived from the number of states added and are accurate
only when keep limit or keep state rules are used for all TCP connections.
For example, you have the following ruleset:
pass in log limit freq 500 quick proto tcp from any to any port = 80 keep limit 100
pass in log quick proto tcp from any to any port = 25 flags S keep state
pass in log quick proto tcp from any to any port = 23
pass out log quick proto tcp from any port = 23 to any
These rules only count connections that match the first two rules. Both the third and fourth rule
allow telnet connections but telnet connections are not counted, since the system is not
keeping state on these connections.
Example:
# ipfstat -ho
2451423 pass out on lan0 from any to any
354727 block out on ppp0 from any to any
430918 pass out quick on ppp0 proto tcp/udp from
20.20.20.0/24 From to any keep state keep frags
This status report shows that the ruleset may not be working as intended. Many outbound packets
are being blocked despite a pass out rule configured to pass most outbound packets.
ipfstat cannot indicate whether a ruleset is configured correctly. It can only display what is
happening at the present time with a given ruleset.
281458 TCP
319349 UDP
0 ICMP
19780145 hits
5723648 misses
0 maximum
0 no memory
0 bkts in use
1 active
319349 expired
281419 closed
A TCP connection has one state entry. One fully established connection is represented by the 4/4
state. Other states are incomplete and will be documented later. The state entry has a time life
of 24 hours, which is the default for an established TCP connection. The time-to-live (TTL) counter
is decremented every second that the state entry is not used and will result in the connection
being purged if it is left idle.
The TTL counter is reset to 86400 whenever the state is used, ensuring the entry will not time
out while it is being actively used. 196 packets consisting of about 17KB worth of data have been
passed over this connection. The ports for the endpoints are 987 and 22; this state entry represents
a connection from 100.100.100.1 port 987 to 20.20.20.1 port 22. The numbers in the second line
are the TCP sequence numbers for this connection. These numbers help ensure that an attacker
cannot insert a forged packet into your session. The TCP window is also shown. The third line
is a synopsis of the implicit rule generated by the keep state code showing that this is an
inbound connection.
The ipfstat -sl option is often used in place of ipfstat -s to show held state information
in the kernel, if present. The ipfstat -sl gives detailed information for each state entry that
is active.
The following is an example of the output information of the ipfstat -sl option:
# ipfstat -sl
15.13.106.175 -> 15.13.137.135 ttl 872678 pass 0x500a pr 6 state 4/4
pkts 31 bytes 1564 57906 -> 23 22c0861c:712c2bd9 32768:32768
cmsk 0000 smsk 0000 isc 0000000000000000 s0 22c085e0/712c2b7f
sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1]
[\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0]
pass in quick keep state IPv4
pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in lan0[00000000480baf00] out -[0000000000000000]
The following is an example of the output information of the ipfstat -io option.
#ipfstat -sl
empty list for ipfilter(out)
1 pass in quick proto tcp from 15.13.106.175/32 to any keep state
The following is an example of the output information of the ipfstat -L option.
Current connections to limited IP addresses
Connection Type Active Limits
Individual 2
No Memory 0
Logged Records 13
Log Failures 0
Limits Added 13
Add Failures 0
• The first six lines display the number of current active connections of each described type.
• No Memory is the number of times a limit entry could not be created because no memory
was available. If this is a non-zero, positive value, then the system memory should be checked
and, if necessary, increased.
• Logged Records is the number of limit entries logged, both summary and alert log records.
• Log Failures is the number of times log entries have not been logged. A non-zero, positive
value for Log Failures indicates that the size of the kernel log buffer is small. The kernel
log buffer ipl_buff_sz should be set to an appropriate value.
• Limits Added is the number of limit entries that have been added.
• Add Failures is the number of times a limit entry could not be created. This happens
when a state entry is not added. The output of ipfstat -s should be used to further
diagnose the problem.
These statistics are cumulative. They are automatically reset to zero when the ipf module is
unloaded and loaded again.
See Appendix C (page 143) for more information on setting the size of the state table, limit table,
and log buffer.
The following is an example of the output information of the ipfstat -vL option:
Type Rule Src IP Src Port Dest IP Dest Port Limit Current
S @0:3 10.39.1.2 * 10.133.1.5 80 50000 951 (0)
S @0:1 10.2.1.2 * 10.129.1.5 80 50000 942 (0)
U @0:1000 10.30.1.2 * 10.130.1.5 80 10 10(102)
U @0:1000 10.30.1.3 * 10.130.1.5 80 10 9 (501)
U @0:1000 10.30.1.4 * 10.130.1.5 80 10 10(100)
U @0:1000 10.30.1.5 * 10.130.1.5 80 10 10(118)
U @0:1000 10.30.1.6 * 10.130.1.5 80 10 10(196)
U @0:1000 10.30.1.7 * 10.130.1.5 80 10 10(198)
U @0:1000 10.30.1.8 * 10.130.1.5 80 10 10(104)
U @0:1000 10.30.1.0 * 10.130.1.5 80 10 10(111)
U @0:1000 10.49.1.2 * 10.131.1.5 80 10 10 (55)
U @0:1000 10.49.1.3 * 10.131.1.5 80 10 10 (53)
U @0:1000 10.49.1.4 * 10.131.1.5 80 10 10(102)
U @0:1000 10.49.1.5 * 10.131.1.5 80 10 9 (52)
U @0:1000 10.49.1.6 * 10.131.1.5 80 10 9 (52)
U @0:1000 10.49.1.7 * 10.131.1.5 80 10 10(103)
U @0:1000 10.49.1.8 * 10.131.1.5 80 10 10(120)
U @0:1000 10.49.1.9 * 10.131.1.5 80 10 10(50)
S @0:1000 10.40.1.2 * 10.134.1.5 80 50000 943(0)
U @0:1000 10.46.1.2 * 10.128.1.5 80 10 10 (49)
U @0:1000 10.46.1.3 * 10.128.1.5 80 10 10 (41)
• The Type column displays the type of limit being kept:
I—Fully resolved individual IP
S—IP subnet
C—Cumulative
U—Unknown IP
9.2.1 Syntax
ipftest [-6] -r ruleset_filename [-i input_filename]
9.2.2 Options
-6 Specifies that the rules tested are IPv6 filter rules.
-r ruleset_filename Specifies the file from which to read rules.
-i input_filename Specifies the file that contains packet descriptors. The default is
stdin.
Each packet descriptor must be contained on one line. By default,
the format for each packet descriptor is as follows:
in|out [on interface] [protocol] src_host[,src_port] dest_host[,dest_port] [flags]
Where:
interface Specifies the interface name, such as lan0.
protocol Specifies the protocol name. Valid values are:
tcp
udp
icmp
icmpv6
src_host Specifies the source IP address or host name.
src_port Specifies the source TCP or UDP port number. You
must specify src_port if you specified the
protocol tcp or udp.
dest_host Specifies the destination IP address or host name.
dest_port Specifies the destination TCP or UDP port number.
You must specify dest_port if you specified the
protocol tcp or udp.
flags Specifies TCP flags as a sequence of one or more
characters that indicate TCP flags. This parameter
is valid only if you specified the protocol tcp. The
valid characters are:
A (ACK - Acknowledgement)
F (FIN - No more data)
P (PUSH - Push function)
R (RST - Reset the connection)
S (SYN - Sychronize sequence numbers)
U (URG - Urgent)
9.2.3 Example
The following ruleset is used for this example:
block in all
pass in from 10.1.84.195 to any
The input file contains the following packet descriptors:
in on lan0 udp 10.1.84.195,16000 10.1.84.196,16000
in on lan1 udp 10.1.84.195,16000 10.1.85.196,16000
in on lan0 udp 10.1.84.195,16000 10.1.80.196,16000
local7
info debug
Example:
block in log level auth.info quick on lan0 from 20.20.20.0/24 to any
block in log level auth.alert quick on lan0 proto tcp from any to 20.20.20.0/24 port = 21
9.3.1.2 first
You can use the first option with the log keyword to log only the first instance of a certain
type of packet. For example, it might not be important to log 500 attempts to probe your telnet
port from one source. It is a good idea to log the first attempt, however.
9.3.1.3 body
You can use the body option with the log keyword to track parts of an IP packet in addition to
the packet header information. IPFilter logs the first 128 bytes of a packet if the body option is
specified. For example:
block in log body proto tcp from 192.168.1.1 to any flags S keep state
NOTE: Using the body option with the log keyword can make your log files very long. Limit
the use of the body option to necessary instances.
9.3.2.1 Syntax
ipmon -options
9.3.2.2 Options
-a Opens and reads data from all available log files.
Equivalent to -o NSI.
-o [NSI] Specifies which log file to read data from. Valid values are:
• N—NAT log file
• S—State log file
• I—IPFilter log file
-A Logs the summary records created for DCA logging.
-r Prints the summary records to the summary log file and
clears the block count for each limit entry.
-F Flushes the packet log buffer. Output displays the number
of bytes flushed.
-n Maps IP addresses and port numbers to host names and
services wherever possible.
-C <ipmon configuration Reads rules and actions from the configuration file.
file>
For a complete list of ipmon options and their uses, see the ipmon manpage.
9.3.2.3 Examples
To view the state table as it updates, use the ipmon -o S command.
Example:
# ipmon -o S
A state entry for an external DNS request to the nameserver is displayed by ipmon. Two xntp
pings to well-known time servers and a short outbound SSH connection are also displayed.
You can also use ipmon to display packets that have been logged.
To view the IPFilter packet log, use theipmon -o I command.
Example:
# ipmon -o I
12:46:12.470951 lan0 @0:1 S 20.20.20.254 -> 255.255.255.255 PR icmp len 20 9216 icmp 9/0
This is a ICMP router discovery broadcast packet. It is indicated by the ICMP type 9/0.
9.3.3.1 Syntax
ipmon -C <ipmon.conf file>
NOTE: If you are using /etc/opt/ipf/ipf.conf as your rules file, then IPFilter will
load it at boot time. The IPFilter startup script /sbin/init.d/ipfboot:
— Loads the IPFilter module.
— Starts the logging daemon, ipmon.
— Loads any uncommented rules in the /etc/opt/ipf/ipf.conf file.
— Loads any uncommented rules in the /etc/opt/ipf/ipf6.conf if IPv6 is enabled
on the system.
If your rules file blocks packets for network services that last effective rule amounts to “block
in all,” the boot sequence might not complete, for example, when sendmail, SNMP, and NIS
are configured on the system.
• Nothing is logged.
Verify the following:
ipf -V should show the logging file as available.
ps -ef|grep ipmonto verify if ipmon is running. During bootup, ipmon is started. If it
is not running, start it by using:
ipmon -s D
The -s option specifies that the log records go to /var/adm/syslog/syslog.log and
the -D option directs ipmon to run as a daemon in the background.
• Errors occur when loading rules.
# ipf -f rule_file
ioctl (add/insert rule); File Exists
This occurs when you try to add a rule that is already loaded. Use the following command
to load rules:
ipf -Fa -f rulefile
The -Fa option will flush any previous rules present and all rules will be reloaded.
In addition, you can use ipftest to test a set of filter rules without having to put them in
place. See the ipftest(1) manpage for more information on this tool.
• IPFilter rules changed after using Bastille/Install-Time-Security level.
If you configure an IPFilter ruleset-using Install-Time-Security level, or use HP-UX Bastille
interactively to reconfigure IPFilter rules, existing rules will be overwritten. This will change
IPFilter behavior.
To reinsert your rules into the Bastille-setup firewall rules, edit /etc/opt/sec_mgmt/
bastille/ipf.customrules, and run bastille -b -f config file . Alternatively,
to remove all of the security hardening performed by Bastille, including the firewall
configuration, run bastille -r. For more information, see the Bastille documentation.
NOTE: Most of the information in this chapter has been derived from the IP Filter-based
Firewalls HOWTO document written by Brendan Conoby and Erik Fichtner. You can find this
document at http://www.obfuscation.org/ipf/.
10.1.1 Syntax
ipf -options [-f rules_file_name]
10.1.2 Options
The following are a few of the common options used with the ipf utility:
-6 Apply the action to the IPv6 filter ruleset or rulesets, or IPv6
processing. To use this option, insert it immediately after the ipf
command and before any other options.
If you do not specify the -6 option, IPFilter applies the option to the
IPv4 ruleset or rulesets, or IPv4 processing.
NOTE: All ipf actions are performed on the active rules file by default. To perform actions on
the inactive rules file, you must specify the -I option.
For a complete list of ipf options and their uses, see the ipf(5) and ipf(8) manpages.
10.1.3 Example
Enter the following command to load a ruleset:
ipf -Fa -f rules_file
10.2.1 Syntax
ipnat -options full_path_name
10.2.2 Options
-f Reads rules from a specified rules file.
-l Lists NAT rules and active mappings.
-C Deletes the current ruleset.
-F Flushes active mappings.
-r Removes rules from the NAT rules file.
10.2.3 Example
Enter the following command:
ipnat -CF -f /etc/opt/ipf/ipnat.conf
This command flushes any existing NAT rules and removes any active mappings, then loads
the NAT rules in the ipnat.conf file.
10.3.1 Syntax
/opt/ipf/bin/ipfilter -d|e|q|l|ei|di
10.3.2 Options
-e Enables the HP-UX IPFilter module.
-d Disables the HP-UX IPFilter module.
-q Queries the HP-UX IPFilter module and displays whether it is enabled or disabled.
-l Lists the interfaces and shows which are protected or unprotected by IPFilter.
-ei Enables IPFilter in interactive mode.
-di Disables IPFilter in interactive mode.
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX IPFilter
when critical network applications are running.
Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up only
the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/rc.config.d/
netconf-ipv6 files. IP addresses not configured in the netconf or netconf-ipv6 file, such
as Serviceguard relocatable IP addresses, are not re-enabled.
Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a system
has several IP interfaces or there is heavy network traffic, the time required to re-establish network
connectivity might be interpreted as a network or card failure. For example, Serviceguard might
interpret a network interruption as a card failure, which can cause it to reform the cluster.
NOTE: The state of HP-UX IPFilter (enabled or disabled) remains the same after the system
reboots. After you have enabled HP-UX IPFilter, there is no need to disable it or re-enable it for
normal operation.
10.3.3 Example
Because enabling HP-UX IPFilter brings down all the network interface cards and then brings
them back up, HP recommends that you query the current IPFilter state using the ipfilter
-q command to verify that you need to enable it.
# /opt/ipf/bin/ipfilter -q
# /opt/ipf/bin/ipfilter -e
10.4.1 Syntax
ippool -options
11.1 Filtering ICMPv4 Packets by Type and Code (icmp-type and code)
You can filter specific types of ICMPv4 (ICMP) traffic using the icmp-type and code keywords.
These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service
(DoS) attacks, but must allow certain types of ICMP messages in and out of your system.
You must specify proto icmp to use the icmp-type and code keywords. A simplified rule
syntax is as follows:
block|pass in|out [processing_options] proto icmp ip_selector icmp-type
type [code code_value]
where:
processing_options is one or more processing options, such as quick. See “Processing
Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces” (page 31).
ip_selector is the IP address specification, as defined in “Basic Rule Syntax: Specifying the
Action, Direction, Protocol, IP Addresses, and Ports” (page 28).
type is the ICMP type, either the name listed in Table 11-1, or the decimal value.
code_value is the decimal value for the ICMP code.
For example, if you want to specifically allow echo replies (ping replies) into your system,
configure the following rule:
pass in quick proto icmp from any to any icmp-type 0 code 0
Table 11-1 ICMP Type and Codes
Type Code icmp-type Meaning
icmp-code
11.1 Filtering ICMPv4 Packets by Type and Code (icmp-type and code) 101
Table 11-1 ICMP Type and Codes (continued)
Type Code icmp-type Meaning
icmp-code
5 redir REDIRECT
network
host
The ICMP code names are valid with the return-icmp and return-icmp-as-dest keywords,
which send ICMP responses to blocked packets. See “return-icmp-as-dest: Responding to Blocked
UDP Packets” (page 39) for an example.
ip_ire_gw_probe 0 (disable) 1
1 (enable)
NOTE: Note: If your topology matches the following conditions, your system may mark
gateways "down" and the system will lose connectivity to remote systems through those gateways.
• The local system is an HP-UX 11i v1 system without patch PHNE_35351 or later installed,
or an HP-UX 11i v2 system without patch PHNE_35765 or later installed.
• The ip_ire_gw_probe feature is enabled (ip_ire_gw_probe is set to 1).
• IPFilter is configured to block ICMP echo requests and echo reply messages to or from the
gateways. This includes IPFilter configurations that block all messages from a subnet address
that matches the gateway addresses.
pass out quick proto icmp from any to 10.20.20.20 icmp-type echo
pass in quick proto icmp from 10.20.20.20 to any icmp-type echorep
ip_send_source_quench 0 (disable) 1
1 (enable)
ip_send_redirects 0 (disable) 1
1 (enable)
ip_respond_to_echo_broadcast 0 (disable) 1
1 (enable)
NOTE: You cannot configure ipf_icmp6_passthru in the ndd configuration file read at
system startup time (/etc/rc.config.d/nddconf). When the system starts up, the value for
ipf_icmp6_passthru is reset its default value (1).
11.4 Controlling ICMPv6 Router Discovery and Neighbor Discovery Messages 107
108
12 HP-UX IPFilter and FTP
This chapter describes how to filter FTP services. It contains the following sections:
• “FTP Basics” (page 109)
• “WU-FTPD on HP-UX” (page 109)
• “Running an FTP Server” (page 110)
• “Running an FTP Client” (page 110)
CAUTION: NAT and FTP are incompatible. If you are using FTP on your IPFilter system, do
not use NAT rules.
On an FTP server using active FTP, configure IPFilter rules to allow control connections in and
data connections out.
For example:
pass in quick proto tcp from any port > 1023 to server-ip port = 21 flags S keep state
pass out quick proto tcp from any port = 20 to any port > 1023 flags S keep state
block in from any to any
block out from any to any
any port 1024 or higher (data port) <---------------- any port 1024 or higher
To use IPFilter to protect passive FTP sessions, you must limit the port range your system can
use for FTP access. For example, you can allocate ports 15001-15500 as FTP ports and only open
up that range of your firewall. In WU-FTPD, you use the passive portsdirective in the
/etc/ftpaccess configuration file to designate the ports, as follows:
passive ports server_ip 15001 15500
See the ftpaccess(4) manpage for details on WU-FTPD configuration.
Configure the following IPFilter rules to let the passive FTP traffic pass:
pass in quick proto tcp from any port > 1023 to server_ip port = 21 flags S keep state
pass in quick proto tcp from any port > 1023 to server_ip port 15000 ><15501 flags S keep state
block in from any to any
block out from any to any
To let an FTP client open an active FTP session, configure IPFilter rules to allow control
connections out and data connections in.
NOTE: FTP Proxy is not supported by HP. For a complete list of unsupported utilities and
commands, see “Unsupported Utilities” (page 128).
any port 1024 or higher (data port) <---------------- any port 1024 or higher
To let an FTP client open a passive FTP session, configure IPFilter to allow both the control and
data connections out.
Use the following ruleset for client-side, passive FTP:
pass out quick proto tcp from client_ip port > 1023 to any port = 21 flags S keep state
pass out quick proto tcp from client_ip port > 1023 to any port > 1023 flags S keep state
block in from any to any
block out from any to any
TIP: For stronger security, configure IPFilter to allow only active FTP connections from FTP
servers.
13.1 Introduction
The NFS service uses multiple daemons. The NFS daemon, nfsd, listens for requests on the
static (fixed) TCP and UDP port number 2049. By default, the auxiliary daemons used for the
NFS services—rpc.lockd (lockd), rpc.mountd (mountd), and rpc.statd (statd)—listen
for service requests on dynamic port numbers. These daemons use the Remote Procedure Call
(RPC) protocol and register their port numbers with the port mapper daemon (rpc.portmap,
or portmap) which uses the static port number 111. Clients send requests to the portmap daemon
to get the dynamic port number of the service they want to access.
There are two methods to use IPFilter to process packets for the NFS auxiliary daemons:
1. Configure NFS to use static port numbers for the auxiliary daemons. You can then create
IPFilter rules for these port numbers. See “Configuring NFS to Use Fixed Ports” (page 113).
2. Use the script /etc/opt/ipf/rpc.ipf to query the portmap daemon and update IPFilter
rules with the dynamic port numbers. You can use this procedure for any service that uses
the RPC portmap mechanism. See “Using the rpc.ipfboot Script to Update IPFilter Rules”
(page 114).
NOTE: The files and scripts used in this procedure serve as basic building blocks for use at
startup time. All files are installed in /etc/opt/ipf/rpc.ipf. The configuration files must
be present in the appropriate directories for the scripts to work correctly.
To use the /etc/opt/ipf/rpc.ipf/rpc.ipfboot script:
1. Copy the sample file to /etc/rc.config.d/rpc_ipfconf
cp rpc_ipfconf.sample /etc/rc.config.d/rpc_ipfconf
Edit the file as needed.
2. Create the rpc.ipf directory and change to that directory.
mkdir /etc/opt/ipf/rpc.ipf
cd /etc/opt/ipf/rpc.ipf
3. Create an empty RPC rules file.
touch /etc/opt/ipf/rpc.ipf/rpc.rules
4. Start the script configuration.
./rpc.ipfboot start
To incorporate the dynamic ports used by the RPC processes, the administrator should decide
the position from which RPC rule should be configured by setting RPC_RULE_POSITION to the
desired value. For example:
RPC_RULE_POSITION=5
The RPC rules will then be added from the 5th position onwards. If there are 10 RPC rules, they
will be inserted at positions 5 to 14. The position must be chosen carefully. If there are only two
rules present, then RPC_RULE_POSITION must be 1,2 or 3 [RPC_RULE_POSITION =
current_#_of_rules]. The Original rules file specified in /etc/rc.config.d/ipfconf
containing other rules is not modified.
IPSec
IPFilter
IPFilter, which is below IPSec in the networking stack, filters network packets before they reach
IPSec. You can have both IPFilter and IPSec configured and running on a system without them
negatively affecting each other.
(IPSec)
(IPFilter) (IPSec)
In Scenario One, you have IPFilter and IPSec on system A with IPFilter blocking packets from
system B and IPSec encrypting packets from system C. When a packet arrives at system A, IPFilter
checks to see if it is from system B, and, if so, blocks the packet. If not, the packet continues up
the stack to IPSec. IPSec checks to see if it is from system C. If so, the packet arrives encrypted.
No overlap is in the configurations of IPFilter and IPSec in this network topology, so there are
no conflicts in Scenario One.
CAUTION: HP-UX IPSec does not support NAT traversal. If you are using HP-UX IPFilter with
HP-UX IPSec, do not use NAT functionality. However, it is possible that IPFilter and NAT can
be used in network configurations containing other vendors’ IPSec products that do support
NAT traversal.
IPFilter
-----UDP-----
In Scenario Two, IPFilter is configured to block UDP traffic on system A, you want all TCP traffic
to pass through . From system B on the network, you want all TCP traffic encrypted. System A
has IP address 10.10.10.10 and system B has IP address 15.15.15.15.
You configure IPSec on each system to encrypt packets between two systems.
When TCP traffic is initiated from A to B or from B to A, IPSec first negotiates security parameters
using the IKE protocol (UDP port 500). You must configure IPFilter on system A to pass IKE
packets. To do so, add the following rules to your configuration:
pass in quick proto UDP from 15.15.15.15 port = 500 to 10.10.10.10 port = 500
pass out quick proto UDP from 10.10.10.10 port = 500 to 15.15.15.15 port = 500
block in proto UDP
block out proto UDP
These rules allow IKE packets to pass correctly.
NOTE: You must configure IPFilter to pass traffic both in and out on UDP port 500 for IPSec
to work properly. If IPFilter is used with IPSec requiring the NAT traversal function, UDP port
4500 must be set to pass for in and out traffic.
IPFilter
---TCP-----
In Scenario Three, IPSec is configured to encrypt TCP traffic between system A and system B
and IPFilter is configured to block all TCP traffic with the following rules:
block in proto TCP
block out proto TCP
IPFilter never sees the TCP packets between system A and system B with a protocol number of
6. These packets are encrypted (or wrapped) in a packet that has a protocol number of 50. If you
configure IPFilter to block packets with protocol number 6, it lets protocol number 50 pass
through. IPSec takes apart the packet and decrypt the TCP data.
If the IPFilter configuration is so broad that it blocks protocol 50 or protocol 51 traffic, then IPSec
traffic will not get through.
IPFilter
-----block !TCP-----
In Scenario Four, IPSec is configured to encrypt TCP traffic between the two systems and IPFilter
is configured to block non-TCP traffic. IPFilter rules are also configured to let UDP/500 traffic
pass on system B.
# Allow IKE to/from system B
pass in quick proto UDP from 15.15.15.15 port 500 to 10.10.10.10 port = 500
pass out quick proto UDP from 10.10.10.10 port 500 to 15.15.15.15 port = 500
# Let in encrypted IPSec traffic
pass in quick proto 50 from 15.15.15.15 to 10.10.10.10
pass out quick proto 50 from 10.10.10.10 to 15.15.15.15
# Allow TCP traffic to/from anywhere
pass in quick proto TCP
pass out quick proto TCP
# Block all other traffic to/from anywhere
block in from any to any
block out from any to any
CAUTION: HP recommends that you enable or disable IPFilter when interrupting network
connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX IPFilter
when critical network applications are running.
Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up only
the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/rc.config.d/
netconf-ipv6 files. IP addresses not configured in the netconf or netconf-ipv6 file, such
as Serviceguard relocatable IP addresses, are not re-enabled.
Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a system
has several IP interfaces or there is heavy network traffic, the time required to re-establish network
connectivity might be interpreted as a network or card failure. For example, Serviceguard might
interpret a network interruption as a card failure, which can cause it to reform the cluster.
NOTE: See the Serviceguard documentation for information on configuring a local failover
system in Serviceguard.
IPFilter local failover is transparent to users. Network sessions are not disrupted during failover
or failback.
You do not need to configure any additional rules in IPFilter. When an interface fails over, the
HP-UX IPFilter rules that specify interface names are automatically changed.
For example, a node in a Serviceguard cluster has a primary interface named lan0 and a standby
interface named lan1. The following rule is configured for lan0:
pass in on lan0 proto tcp from any to any port = telnet
Upon failover, the rule is automatically modified to:
pass in on lan1 proto tcp from any to any port = telnet
The rule will be changed back automatically on failback.
NOTE: This list of HA services is not exhaustive. In addition, Serviceguard also uses dynamic
ports (typically in the 49152–65535 range) for some cluster services. If you have adjusted the
dynamic port range using kernel tunable parameters, alter your rules accordingly.
This list does not include all HA applications (such as Continental Cluster). New HA applications
might be developed that use port numbers in addition to the listed numbers. You must add new
rules as appropriate to ensure that all HA applications run properly. The current list of ports
used by Serviceguard are documented in the Serviceguard Release Notes.
# Allow cmsnmpd to send and receive snmpGet, snmpSet between cluster nodes
pass in quick proto udp from cluster_nodes to cluster_nodes port = snmp keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = snmp keep state
If you are using package IP monitoring, configure the following rules:
CAUTION: For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with
IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces.
On HP-UX 11i v3 systems, you can use the ipfstat -Q command to list the IP interfaces that
are protected by IPFilter.
• Ethernet (10Base-T)
• Fast Ethernet (100Base-T)
• Gigabit Ethernet (1000Base-T)
• 10 Gigabit Ethernet
• APA
HP-UX A.11.xx.17
• VLAN
• FDDI
• Token Ring
• InfiniBand (supported on HP-UX 11i v2 only)
• X.25 (supported on HP-UX 11i v3 only)
• Ethernet (10Base-T)
• Fast Ethernet (100Base-T)
• Gigabit Ethernet (1000Base-T)
• 10 Gigabit Ethernet
• APA
HP-UX A.11.xx.16
• VLAN
• FDDI
• Token Ring
• InfiniBand (supported on HP-UX 11i v2 only)
• X.25 (supported on HP-UX 11i v3 only)
• Ethernet (10Base-T)
• Fast Ethernet (100Base-T)
• Gigabit Ethernet (1000Base-T)
• APA
HP-UX A.11.xx.15.01 • VLAN
• FDDI
• Token Ring
• InfiniBand (supported on HP-UX 11i v2 only)
• X.25 (supported on HP-UX 11i v3 only)
• Ethernet (10Base-T)
Open source versions:
• Fast Ethernet (100Base-T)
A.03.05.09 • Gigabit Ethernet (1000Base-T)
A.03.05.08 • APA
A.03.05.07 • VLAN
A.03.05.06 • FDDI
• Token Ring
B.1 BASIC_1.FW
#!/sbin/ipf -f -
## SAMPLE: RESTRICTIVE FILTER RULES
#
# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
#
# lan0 - (internal) network interface, address w.x.y.z/32
#
# This file contains the basic rules needed to construct a
# firewall for the above connections.
#
#-------------------------------------------------------
# Block short packets which are packets fragmented too short to
# be real packets.
block in log quick all with short
#-------------------------------------------------------
# Group setup.
# ============
# By default, block and log all packets. This may result in
# too much information to be logged (especially for lan0)
# and needs to be further refined.
#
block in log on ppp0 all head 100
block in log proto tcp all flags S/SA head 101 group 100
block out log on ppp0 all head 150
block in log on lan0 from w.x.y.z/24 to any head 200
block in log proto tcp all flags S/SA head 201 group 200
block in log proto udp all head 202 group 200
block out log on lan0 all head 250
#-------------------------------------------------------
# Localhost packets.
# ==================
# Packets going in/out of network interfaces that aren’t on the
# loopback interface should *NOT* exist.
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from any to 127.0.0.0/8 group 100
block in log quick from 127.0.0.0/8 to any group 200
block in log quick from any to 127.0.0.0/8 group 200
#-------------------------------------------------------
# Invalid Internet packets.
# =========================
#
# Deny reserved addresses.
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#
block in log quick from a.b.c.d/24 to any group 100
#
#-------------------------------------------------------
# Allow outgoing DNS requests (no named on firewall)
#
pass in quick proto udp from any to any port = 53 keep state group 202
#
# If you are running named on the firewall and all internal
# hosts talk to it,use the following:
#
pass in quick proto udp from any to w.x.y.z/32 port = 53 keep
state group 202
pass out quick on ppp0 proto udp from a.b.c.d/32 to any port =
53 keep state
#
# Allow outgoing FTP from any internal host to any external FTP # server.
B.2 BASIC_2.FW
# SAMPLE: PERMISSIVE FILTER RULES
#
# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
#
# lan0 - (internal) network interface, address w.x.y.z/32
#
# This file contains the basic rules needed to construct a
# firewall for the above situation.
#
#-------------------------------------------------------
# Short packets which are packets fragmented too short to be
# real packets.
block in log quick all with short
#-------------------------------------------------------
# Group setup.
# ============
# By default, block and log all packets. This may result in
# too much information to be logged (especially for lan0) and
# the rules needs to be further refined.
#
block in log on ppp0 all head 100
block out log on ppp0 all head 150
block in log on lan0 from w.x.y.z/24 to any head 200
block out log on lan0 all head 250
#-------------------------------------------------------
# Invalid Internet packets.
# =========================
#
# Deny reserved addresses.
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#
B.3 example.1
#
# block all incoming TCP packets on lan0 from host 10.1.1.1 to
# any destination.
#
block in on lan0 proto tcp from 10.1.1.1/32 to any
B.4 example.2
## block all outgoing TCP packets on lan0 from any host to port
# 23 of host 10.1.1.2
#
block out on lan0 proto tcp from any to 10.1.1.3/32 port = 23
B.5 example.3
# block all inbound packets.
#
block in from any to any
# #
# allow a variety of individual hosts to send any type of IP
# packet to any other host.
#
pass in from 10.1.3.1/32 to any
pass in from 10.1.3.2/32 to any
pass in from 10.1.3.3/32 to any
pass in from 10.1.3.4/32 to any
pass in from 10.1.3.5/32 to any
pass in from 10.1.0.13/32 to any
pass in from 10.1.1.1/32 to any
B.6 example.4
#
# block all ICMP packets.
#
block in proto icmp from any to any
#
B.7 example.5
#
# test ruleset
#
# allow packets coming from foo to bar through.
#
pass in from 10.1.1.2 to 10.2.1.1
#
# allow any TCP packets from the same subnet as foo is on
# through to host 10.1.1.2 if they are destined for port 6667.
#
pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
#
# allow in UDP packets that are NOT from port 53 and are
# destined for localhost
#
pass in proto udp from 10.2.2.2 port != 53 to localhost
#
# block all ICMP unreachables.
#
block in proto icmp from any to any icmp-type unreach
#
# allow packets through that have a non-standard IP header
# length (ie there are IP options such as source-routing
# present).
#
pass in from any to any with ipopts
#
B.8 example.6
#
# block all TCP packets with only the SYN flag set (this is the
# first packet sent to establish a connection) out of the
# SYN-ACK pair.
#
block in proto tcp from any to any flags S/SA
B.10 example.8
#
# block all incoming TCP connections but send back a TCP-RST
# for ones to the ident port
#
block in proto tcp from any to any flags S/SA
block return-rst in quick proto tcp from any to any port = 113 flags S/SA
#
# block all inbound UDP packets and send back an ICMP error.
#
block return-icmp in proto udp from any to any
B.11 example.9
# drop all packets without IP security options
#
block in all
pass in all with opt sec
#
# only allow packets in and out on lan0 which are top secret
#
block out on lan0 all
pass out on lan0 all with opt sec-class topsecret
block in on lan0 all
pass in on lan0 all with opt sec-class topsecret
B.12 example.10
#
# pass ack packets (ie established connection)
#
pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 ...
flags A/A
pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16...
flags A/A
#
# block incoming connection requests to my internal network
# from the internet.
#
block in on lan0 proto tcp from any to 10.1.0.0/16 flags S/SA
# block the replies:
block out on lan0 proto tcp from 10.1.0.0 to any flags SA/SA
B.13 example.11
#
# allow any TCP packets from the same subnet as foo is on
B.14 example.12
#
# get rid of all short IP fragments (too small for valid
# comparison)
#
block in proto tcp all with short
#
# drop and log any IP packets with options set in them.
#
block in log all with ipopts
#
# log packets with BOTH ssrr and lsrr set
#
log in all with opt lsrr,ssrr
#
# drop any source routing options
#
block in quick all with opt lsrr
block in quick all with opt ssrr
B.15 example.13
#
# log all short TCP packets to lan3, with 10.3.3.3 as the
# intended destination for the packet.
#
block in on lan0 to lan3:10.3.3.3 proto tcp all with short
#
# log all connection attempts for TCP
#
pass in on lan0 dup-to lan1:10.3.3.3 proto tcp all flags S/SA
#
# route all UDP packets through transparently.
#
pass in on lan0 proto udp all
#
# route all ICMP packets to network 10 out through lan1, to
B.16 example.sr
# log all inbound packets on lan0 which has IP options present
# log in on lan0 from any to any with ipopts
#
# block any inbound packets on lan0 which are fragmented and
# "too short" to do any meaningful comparison on. This actually
# only applies to TCP packets which can be missing the
# flags/ports (depending on which part of the fragment you
# see).
#
block in log quick on lan0 from any to any with short frag
#
# log all inbound TCP packets with the SYN flag (only) set
# (NOTE: if it were an inbound TCP packet with the SYN flag
#set and it had IP options present, this rule and the above
#would cause it to be logged twice).
#
log in on lan0 proto tcp from any to any flags S/SA
block in log on lan0 proto udp from any to any port = 2049
#
# quickly allow any packets to/from a particular pair of hosts
#
pass in quick from any to 10.1.3.2/32
pass in quick from any to 10.1.0.13/32
pass in quick from 10.1.3.2/32 to any
pass in quick from 10.1.0.13/32 to any
#
# block (and stop matching) any packet with IP options present.
#
block in quick on lan0 from any to any with ipopts
#
# allow any packet through
#
pass in from any to any
#
# block any inbound UDP packets destined
# for these subnets.
#
block in on lan0 proto udp from any to 10.1.3.0/24
block in on lan0 proto udp from any to 10.1.1.0/24
block in on lan0 proto udp from any to 10.1.2.0/24
#
# block any inbound TCP packets with only the SYN flag set that
# are destined for these subnets.
#
block in on lan0 proto tcp from any to 10.1.3.0/24 flags S/SA
block in on lan0 proto tcp from any to 10.1.2.0/24 flags S/SA
block in on lan0 proto tcp from any to 10.1.1.0/24 flags S/SA
#
# block any inbound ICMP packets destined for these subnets.
#
B.17 firewall
#Configuring IP Filter for firewall usage.
=========================================
Run the perl script "mkfilters". This will generate a list of blocking rules which:
a) blocks all packets which might belong to an IP Spoofing attack;
b) blocks all packets with IP options;
c) blocks all packets which have a length which is too short for any legal packet;
pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
where
* "int-a" is the internal interface of the firewall. That is,
it is the closest to your internal network in terms of network
hops.
B.18 server
#
# For a network server, which has two interfaces, 128.1.40.1
#(lan0) and 128.1.2.1 (lan1), we want to block all IP spoofing
# attacks. lan1 is connected to the majority of the network,
# while lan0 is connected to a leaf subnet.
# We’re not concerned about filtering individual services
#
#
pass in quick on lan0 from 128.1.40.0/24 to any
block in log quick on lan0 from any to any
block in log quick on lan1 from 128.1.1.0/24 to any
pass in quick on lan1 from any to any
B.19 tcpstate
#
# Only allow TCP packets in/out of lan0 if there is an outgoing
# connection setup somewhere, waiting for it.
#
pass out quick on lan0 proto tcp from any to any flags S/SAFR keep state
block out on lan0 proto tcp all
block in on lan0 proto tcp all
#
# allow nameserver queries and replies to pass through, but no # other UDP
#
B.20 BASIC.NAT
#!/sbin/ipnat -f -
#
# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
#
# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
#
# lan0 - (internal) network interface, address w.x.y.z/32
#
# If only one valid IP address from the ISP, then use this
# rule:
#
map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.z/24 -> a.b.c.d/32
#
# If a different dialup IP address is assigned each time, then
# use this rule:
map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.z/24 -> 0/32
#
# If using a class C address space of valid IP addresses from
# an ISP, then use this rule:
#
map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
map ppp0 w.x.y.z/24 -> a.b.c.d/24
#
# If using a small number of PCs, use this rule:
#
map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.v/32 -> a.b.c.E/32
map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.u/32 -> a.b.c.F/32
map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.t/32 -> a.b.c.G/32
map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.s/32 -> a.b.c.H/32
map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.r/32 -> a.b.c.I/32
map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.q/32 -> a.b.c.J/32
map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.p/32 -> a.b.c.K/32
#
# For ftp to work using the internal ftp proxy, use the
# following rule:
#
map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
B.21 nat.eg
# map all tcp connections from 10.1.0.0/16 to 240.1.0.1,
# changing the source
# port number to something between 10,000 and 20,000 inclusive.
# For all other
# IP packets, allocate an IP # between 240.1.0.0 and
# 240.1.0.255, temporarily
# for each new user.
#
B.22 nat-setup
Configuring NAT on your network.
================================
To start setting up NAT, we need to define which is your
"internal" interface and which is your "external" interface.
The "internal" interface is the network adapter connected to
the network with private IP addresses which you need to change
for communicating on the Internet. The "external" interface is
configured with a valid internet address.
For example, your internal interface might have an IP address
of 10.1.1.1 and be connected to your ethernet, whilst your
external interface might be a PPP connection with an IP number
of 204.51.62.176.
Thus your network might look like this:
<Internal Network>
[pc] [pc]
| |
+-+---------+------+
|
[firewall]
|
|
Internet
<External Network>
Writing the map-rule.
---------------------
When you're connected to the Internet, you will either have a
block of IP addresses assigned to you, maybe several different
blocks, or you use a single IP address, i.e. with dialup PPP.
If you have a block of addresses assigned, these can be used to
create either a 1:1 mapping (if you have only a few internal IP
addresses) or N:1 mappings, where groups of internal addresses
map to a single IP address and unless you have enough Internet
addresses for a 1:1 mapping, you will want to do "portmapping"
for TCP and UDP port numbers.
For an N:1 situation, you might have:
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
where if you had 16 addresses available, you could do:
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
Or if you wanted to allocate subnets to each IP#, you might do:
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
*** NOTE: NAT rules are used on a first-match basis only!
Filtering with NAT.
-------------------
IP Filter will always translate addresses in a packet _BEFORE_
it checks its access list for inbound packets and translates
addresses _AFTER_ it has checked the access control lists for
outbound packets.
B.23 ipmon.conf
match { logtag = 10000 }
do { execute "/usr/bin/mail -s 'logtag 10000' root" };
match { logtag = 2000, protocol = tcp }
do { execute "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" };
#
match { protocol = udp, result = block }
do { execute "/usr/bin/mail -s 'blocked udp' root"
};
#
match {
srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
do { execute "/usr/bin/mail -s 'from 10.1 to 192.168.1' root"
};
#
match {
rule = 12, logtag = 101, direction = in, result = block,
protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
do { execute "run shell command"
};
B.24 pool.conf
table role = ipf type = tree number = 100
{ 1.1.1.1/32; 2.2.0.0/16; 2.2.2.0/24; };
C.1 Overview
HP-UX IPFilter supports the following kernel tunable parameters:
fr_tcpidletimeout The timeout period for TCP entries in the state table. 86,400 seconds
fr_statemax Specifies the maximum number of state table entries that 800,000 entries
can be created.
ipl_buffer_sz Size of the IPFilter logging buffer for /dev/ipl. 8192 bytes
ipl_suppress If enabled (set to 1), IPFilter does not write identical log 1 (enabled)
records separately, but counts them as Nx, where N is the
number of times the log record occurs.
ipl_logall If enabled (set to 1), IPFilter includes the entire packet when 0 (disabled)
the log body keywords are specified in a rule. Otherwise,
it includes only the first 128 bytes.
fr_tcptimewait Used to set TCP state entry age at system level after 120 Sec (enabled)
connection is closed. Value can be between 2-120 Sec. This
is supported only on 11.31. It is modified using the kctune
command.
frnat_tcptimewait Used to set TCP NAT entry age at system level after 120 Sec
connection is closed. Value can be between 2-120 Sec. This
is supported only on 11.31. It is modified using the kctune
command.
The following sections provide information about the remaining kernel tunable parameters and
how to use the kctune, kmtune, and ndd commands to configure these parameters.
fr_tcpidletimeout HP-UX 11i v1: 300 - 86,400 86,400 seconds (24 HP-UX 11i v1: kmtune
seconds hours) HP-UX 11i v2 and HP-UX 11i
HP-UX 11i v2 and HP-UX 11i v3: v3: kctune
240 - 86,400 seconds
C.3 fr_statemax
The fr_statemax parameter specifies the maximum number of entries in the IPFilter state
table.
fr_statemax 4,000 - 1,600,00 entries 800,000 entries HP-UX 11i v1: kmtune
HP-UX 11i v2 and HP-UX 11i v3:
kctune
IPFilter allocates state table entries for packets using stateful (keep state) and Dynamic
Connection Allocation (keep limit) rules. IPFilter also maintains a limit table to count the
state table entries for DCA rules. IPFilter allocates memory for the state table in 500-Kbyte chunks,
where each chunk can store 1,300 entries (each state table entry is approximately 384 bytes).
CAUTION: HP-UX IPFilter keeps memory allocated for state and limit table entries in its private
free pool and does not return this allocated memory back to the kernel memory pool for general
use. Setting fr_statemax to a large value can affect system memory availability.
When the number of entries reaches fr_statemax, IPFilter checks if entries have exceeded their
idle lifetime and are eligible to be freed. The idle lifetimes are based on the protocol type and
are as follows:
ICMP: 60 seconds
TCP: the value of fr_tcpidletimeout (by default, 84,600 seconds)
UDP: 120 seconds
If IPFilter is unable to create a state table entry for a packet that matches a DCA rule, it allows
the packet to pass. The maximum counter reported by the ipfstat -s command reports the
number of times IPFilter attempted to create a state table entry but could not because the state
table contained the maximum number of entries.
C.4 ipf_icmp6_passthru
The parameter ipf_icmp6_passthru is described in “Controlling ICMPv6 Router Discovery
and Neighbor Discovery Messages” (page 107).
C.5 ipl_buffer_sz
The ipl_buffer_sz parameter specifies the size of the IPFilter logging buffer.
ipl_buffer_sz 1024 - 163840 bytes 8192 bytes HP-UX 11i v1 and HP-UX 11i v2: ndd
HP-UX 11i v3: kctune
C.6 ipl_suppress
The ipl_suppress parameter specifies the IPFilter logging behavior for identical log records.
When this feature is enabled (the value is 1), IPFilter suppresses identical log records; instead of
does not writing duplicate records, it writes the record and N where N is the number of times
the record was repeated. If this feature is disabled, IPFilter writes all log records, including
duplicate records.
ipl_suppress 0 (disabled) - 1 (enabled) 1 HP-UX 11i v1 and HP-UX 11i v2: ndd
HP-UX 11i v3: kctune
C.7 ipl_logall
The ipl_logall parameter specifies if IPFilter includes the first 128 bytes of a packet in log
records or all the contents of a packet when the log body keywords are specified in a rule. By
default, this feature is disabled (ipl_logall is set to 0). Note that enabling this feature generates
large log files.
For information on changing the ipl_logall variable, see “Configuring and Viewing Kernel
Tunable Parameters” (page 145).
ipl_logall 0 (disabled) - 1 (enabled) 0 HP-UX 11i v1 and HP-UX 11i v2: ndd
HP-UX 11i v3: kctune
NOTE: You cannot add the IPFilter ndd variables to the ndd configuration file read at system
startup time (/etc/rc.config.d/nddconf). When the system starts up, the IPFilter ndd
variables are reset to their default values.
The network device for the IPFilter parameters is /dev/pfil. Use the following syntax to
configure the value of an IPFilter ndd kernel tunable parameter:
ndd -set /dev/pfil parameter_name value
For example:
ndd -set /dev/pfil ipl_logall 1
Use the following syntax to query the value of a kernel tunable:
ndd -get /dev/pfil parameter_name
For example:
ndd -get /dev/pfil ipl_logall
D.1 Overview
IPFilter has two kernel modules, pfil, a streams module and ipf, a WSIO pseudo driver. These
are dynamically loadable kernel modules. When IPFilter is installed on an HP-UX system using
swinstall, these two modules are loaded and configured as dynamically linked modules. They
can be loaded and unloaded when required without shutting down the system as long as the
modules are not currently in use.
D.2 Static Linking of HP-UX IPFilter on HP-UX 11i v2 and HP-UX 11i v3
Use the following steps to statically link the IPFilter modules to the kernel with HP-UX 11i v2
and HP-UX 11i v3:
1. Set up the IPFilter modules to be statically linked to the kernel using the kcmodule command.
The modules will be statically linked at the next system boot. See the kcmodule (1M)
manpage for further details. For example:
$ kcmodule -K -h -s pfil=static
$ kcmodule -K -h -s ipf=static
2. Reboot the system.
Use the following steps to return the system back to dynamic linking.
1. Set up the IPFilter modules to be dynamically linked to the kernel using the following
commands:
$ kcmodule -K -h -s pfil=auto
$ kcmodule -K -h -s ipf=auto
2. Reboot the system.
CAUTION: If you need to remove or update IPFilter software, you must reconfigure the ipf
and pfil modules to link dynamically into the kernel. The install and remove scripts for IPFilter
assume the IPFilter modules to be dynamically linked. Do not try installing a newer version or
removing the existing IPFilter product if it is statically linked to the kernel.
pfil Y Y
The output is similar for the ipf module. This output shows that the pfil module is
loadable.
3. Use the kmsystem command to set the loadable parameter to N.
$ kmsystem -l N -c Y ipf
$ kmsystem -q ipf
ipf Y N
$ kmsystem -l N -c Y pfil
4. Use the following command to build the new kernel with the modified configuration:
$config /stand/system
5. Use the kmupdate command to prepare the system to boot from the new kernel during the
next system shutdown.
$ kmupdate /stand/build/vmunix_test
$ shutdown -r 0 # Shutdown the system now
This boots the system using the new kernel that has both IPFilter modules statically linked.
CAUTION: If you need to remove or update IPFilter software, you must reconfigure the ipf
and pfil modules to link dynamically into the kernel. The install and remove scripts for IPFilter
assume the IPFilter modules to be dynamically linked. Do not try installing a newer version or
removing the existing IPFilter product if it is statically linked to the kernel.
Packets are processed twice (2 and 3) Packets are processed twice (6 and 7)
1. On an intermediate system, disable the interface on the intranet side. By default, there is
redundant processing for each packet through an intermediate system, as shown in Figure E-1.
By disabling the intranet interface, using ipf -D lan2 in this example, each packet is
processed only once in each direction (2 and 7). Do not disable any interface on an end
system.
2. If your system has multiple CPUs and LAN cards, be sure traffic is divided evenly between
the CPUs. Interrupt migration and PerfView utilities can be used to determine that traffic
is spread evenly between CPUs.
• For keep limit rules, avoid the cumulative rule whenever possible.
If a large number of connections have the same source IP, destination IP, and destination
port, system performance is impacted by cumulative rules. Non-cumulative keep limit
rules keep a cache based on the source IP, destination IP, and destination port. Cumulative
rules do not keep a cache based on these parameters.
E.4 Traffic
To manage IPFilter for optimal system performance:
• Keep the state entries at a manageable level. A large number of state entries requires many
CPU cycles to process them. Too many state entries can cause noticeable performance
degradation on a system.
• Keep packet searches on rulesets as short as possible. On a 750-MHz PA-RISC system, a
1000 to 2000 rule search is acceptable. If IPFilter traffic is light, a 5000 rule search is the
recommended maximum. The optimal number of rules is dependent on your specific
operating environment, including factors such as type of rules and amount of traffic.
• Keep IPFilter traffic at a manageable level. Do not run at peak load all the time. Keep the
average CPU usage rate at around 60% to accommodate unexpected peak loads. At peak
load times the system compensates with schemes such as dropping packets. However, it is
never a good idea to push a system beyond its intended capacity.
For example, the normal region in Figure E-2 shows normal system operation. The system should
not operate in the marginal region for a long period of time. Configure your system to raise an
alarm if the system reaches the critical level. Define these criteria based your operating
environments.
155
error status messages, 37 -q option, 99
filtering on, 35, 101 IPFilter modules
keeping state with, 37 ipf, 149
icmp-type keyword, 35, 101 pfil, 149
ICMPv6 ipfstat, 80
IPv6, 46 -6 option, 80
in keyword, 28 -h option, 80
inactive rules list, 42 -i option, 80
installation -L option, 80, 82
checklist, 21 -Lv option, 80
loading software, 22 -n option, 82
prerequisites, 21 -o option, 80
verifying, 23 -r option, 80, 84
integrating keep limit rules, 58 -s option, 82
interface-specific filtering, 32 -sl option, 82
interfaces -v option, 81
supported, 128 -vL option, 83
unsupported, 128 ipfstat -io option, 82
interoperability ipfstat -Q option, 80
IPSec, 117 ipftest, 85
IP address -i option, 85
filtering by, 28 -r option, 85
limiting connections by, 53 input file format, 85
ipf, 95 ipl_buffer_sz, 144
-6 option, 95 ipl_logall, 145
-A option, 42 ipl_suppress, 145
-D option, 96 ipmon, 88, 90, 92, 93
-E option, 96 -A option, 90
-f option, 42, 49 -a option, 90
-Fa option, 42, 96 -C option, 90
-Fi option, 96 -F option, 90
-Fo option, 96 -o option, 90
-I option, 42, 96 -r option, 55, 90
-m d option, 60, 96 ipnat, 63, 98
-m e option, 60, 96 -C option, 98
-m option, 96 -F option, 98
-m q option, 60, 96 -f option, 98
-m t option, 60, 96 -l option, 98
-Q option, 97 -r option, 98
-s option, 42, 96 ipopts keyword, 34
-V option, 23 ippool, 73, 99
-Z option, 96 -A option, 100
adding rules, 42, 49 -a option, 100
IPv6, 49 -d option, 100
ipf module, 149 -F option, 100
ipf.conf -f option, 100
bootup start, 42, 49 -i option, 100
syntax in, 27 -l option, 100
ipfboot, 92, 127 -m option, 100
IPFilter -n option, 100
disabling, 99 -o option, 100
enabling, 99 -r option, 100
removing, 23 -s option, 100
ipfilter, 99 -t option, 100
-d option, 99 -v option, 100
-di option, 99 -z option, 100
-e option, 99 ippool.conf, 73
-ei option, 99 IPSec
-l option, 99 allowing protocol 50 and 51 traffic through, 119
156 Index
allowing traffic through the firewall, 118 icmp-type, 35, 101
bidirectional with IPFilter, 118 in, 28
debugging blocked traffic with, 118 ipopts, 34
gateway, 120 keep frags, 38
UDP negotiation, 117 keep limit, 53
IPSec and IPFilter, 117 keep state, 35
IPv6 log, 31, 88
differences, 46 log limit, 54
extension headers, 47 log limit freq, 55
features, 46 map, 66
file configuration, 45 map-block, 67
filter rules, 46 on, 32
fragmentation, 48 opt, 34
ICMPv6 filtering, 46 out, 28
ipf, 49 pass, 28
protocol-based filtering, 46 port, 29
rules configuration, 45 portmap, 66
stateful ICMPv6, 46 proto, 28
tunneled packets, 47 quick, 31
unsupported features, 46, 128 rdr, 68
return-icmp-as-dest, 39
K return-rst, 39
kcmodule, 23 to, 28
static linking, 149 with frags, 35
kctune, 145 with short, 35
keep frags keyword, 38 kmadmin
keep limit static linking, 149
keyword, 53 kmsystem
keep limit rules static linking, 150
adding, 58 kmtune, 146
adding a subnet or IP address range rule, 58 kmupdate
adding individual rule, 58 static linking, 150
changing current rule, 57
extracting, 59 L
integrating, 58 l4check, 69
rule hits, 61 limiting connections
updating, 57 by IP address, 53
updating a subnet or IP address range, 58 by subnet, 54
keep state cumulative, 54
ICMP, 37 default individual limit, 54
keyword, 35, 36 loading software, 22
state table dump, 82 localhost filtering, 77
when to use, 36 log keyword, 31, 88
keeping state body option, 89
UDP, 37 first option, 88
with servers and flags, 36 log limit freq keyword, 55
kernel tunables log limit keyword, 54
configuring, 145 log tags, 43
fr_statemax, 144 logging, 92
fr_tcpidletimeout, 144 packets, 31
ipl_buffer_sz, 144 problems, 93
ipl_logall, 145 logging exceeded connections, 54
ipl_suppress, 145 logging techniques, 88
keywords
bimap, 71 M
block, 28 map keyword, 66
flags, 33 map-block keyword, 67
from, 28 memory allocation, 144
group, 40 modifying DCA rules, 57
157
monitoring IPFilter, 90 return-rst keyword, 39
multi-level grouping, 40 rule configuration guidelines, 152
rule groups, 40
N rule loading guidelines, 152
NAT rule tags, 43
file configuration, 63 rules
viewing and loading rules, 98 active list, 42
NAT keywords adding rules to a rules file, 42, 49
bimap, 71 bimap keyword, 71
map, 66 block keyword, 28
map-block, 67 errors occur when loading, 93
portmap, 66 file configuration, 27
rdr, 68 flags keyword, 33
nat tags, 43 flushing, 42
netstat, 94 from keyword, 28
nslookup, 37 grouping, 40
icmp-type keyword, 35, 101
O in keyword, 28
on keyword, 32 inactive list, 42
opt keyword, 34 interface-specific, 32
out keyword, 28 IP address-specific, 28
ipopts keyword, 34
P IPv6, 45
package IP address, 122 keep frags keyword, 38
pass keyword, 28 keep limit keyword, 53
patch dependencies, 21 keep state keyword, 35, 36
performance guidelines, 151 log keyword, 31, 88
performance monitoring, 154 log limit freq keyword, 55
rule configuration, 152 log limit keyword, 54
rule loading, 152 map keyword, 66
system configuration, 151 map-block keyword, 67
traffic, 153 on keyword, 32
performance improvement, 40 opt keyword, 34
performance information, 80 out keyword, 28
performance monitoring guidelines, 154 outbound traffic, 28
pfil module, 149 pass keyword, 28
ping, 37 performance improvement with, 40
port keyword, 29 port keyword, 29
port number filtering, 29 portmap keyword, 66
portmap keyword, 66 processing order, 27, 63
prerequisites proto icmp keep state, 37
installation, 21 proto keyword, 28
patch dependencies, 21 quick keyword, 31
proto keyword, 28 rdr keyword, 68
protocol 50 and 51 traffic, 119 removing, 43
protocol-based filtering return-icmp-as-dest keyword, 39
IPv6, 46 return-rst keyword, 39
Serviceguard, 122
Q swapping active and inactive rules lists, 42
quick keyword, 31 taking effect, 42, 49, 57
to keyword, 28
R with frags keyword, 35
rdr keyword, 68 with short keyword, 35
reloading IPFilter, 92
removing, 23 S
removing IPFilter software Serviceguard, 121
static linking, 149, 150 Cluster Object Manager, 125
reporting problems, 37, 94 filtering on a package IP address, 122
return-icmp-as-dest keyword, 39 intra-cluster communication, 123
158 Index
mandatory rules, 122 W
Quorum Server, 124 with frags keyword, 35
remote command execution, 124 with short keyword, 35
Serviceguard Manager, 125 WU-FTPD, 109
services, 122
single-user mode, 23
software, loading, 22
state aging, 37
state table
dump, 82
static linking, 149
HP-UX 11i v1, 149
HP-UX 11i v2, 149
HP-UX 11i v3, 149
removing IPFilter software, 149, 150
sticky NAT sessions, 69
summary logs for cumulative limits, 55
supported interfaces, 128
swinstall, 22
swlist, 21
system configuration guidelines, 151
system traffic guidelines, 153
T
TCP
configuration example, 138
TCP filtering, 29
TCP Wrapper, 77
testing IPFilter, 85
to keyword, 28
tracing
layer 4, 94
tree structure, 40
troubleshooting, 92
rule change after using Bastille, 93
TTL counter, 82
tunneled packets
IPv6, 47
U
UDP
keeping state with, 37
negotiation with IPSec, 117
UDP filtering, 29
uname, 21
uninstalling IPFilter software
static linking, 149, 150
unsupported interfaces, 128
unsupported utilities and commands, 128
updating keep limit rules, 57
utilities
ipf, 95
ipfstat, 80
ipftest, 85
ipmon, 90
ipnat, 98
ippool, 99
unsupported, 128
159