topic Re: ipfilter in Operating System - HP-UX

ipfilter

Larry Basford — Sun, 29 Apr 2007 22:47:48 GMT

I want to allow only ports 21 22 23
ssh
ftp
telnet
To everyone and all prorts to 172.16.0-8

Am I missing something here.

pass out quick on lan0 proto tcp from 172.16.1.100/21 to any keep state
pass out quick on lan0 proto udp from 172.16.1.100/21 to any keep state
pass out quick on lan0 proto icmp from 172.16.1.100/21 to any keep state

pass in quick on lan0 proto tcp from any to 172.16.1.100/21 port = 23 flags S keep state keep frags
pass in quick on lan0 proto tcp from any to 172.16.1.100/21 port = 22 flags S keep state keep frags
pass in quick on lan0 proto tcp from any to 172.16.1.100/21 port = 21 flags S keep state keep frags
pass out quick on lan0 proto tcp/udp from 172.16.1.100/21 to any keep state
pass in quick proto icmp from any to any
pass out quick proto icmp from any to any
pass in quick from 172.16.0.0/21 to any
pass out quick from any to 172.16.0.0/21

Re: ipfilter

Rasheed Tamton — Mon, 30 Apr 2007 01:01:40 GMT

Try to get hold of Doc. UTRANKBRC00017096 from KnowledgeBase which explains ipfilter.

or IPFilter Config. Examples in this doc.
http://docs.hp.com/en/B9901-90021/B9901-90021.pdf

Also there are sample files in /opt/ipf/examples dir.

Re: ipfilter

Steven E. Protter — Mon, 30 Apr 2007 02:26:41 GMT

Shalom,

How this peforms depends on local network configuration.

Are you using this HP-UX box as a router-firewall?

If so you may need a pass out command on each network. I'd need to see an ifconfig lan0 (or whatever lan we're dealing with here) and get some information on the overall environment to be able to understand and make recommendations.

SEP

Re: ipfilter

Marco A. — Mon, 30 Apr 2007 07:46:05 GMT

Hello,

#
# Allow outgoing connections: SSH, TELNET, FTP
#
pass in quick proto tcp from any to any port = 21 keep state
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 23 keep state

In case that you want to allow the external hosts to access your server as ftp, ssh or telnet, change the flag "in" to "out" .

And to add the rule only for your network 172.16.1.100/21, change the flag "any" to your net address.

Try to use also..

* from 172.16.1.1/21 to 172.16.8.254/21 * instead of 172.16.0-8 !

Hope this helps,

Rgds,

Re: ipfilter

David Woodroffe — Mon, 30 Apr 2007 21:01:17 GMT

Ftp rules can be configured for a server and/or a client. In addition you have to decide if you are using active mode or passive mode as it affects the required rules. Also port 20 rules are required.

The HP IPFilter adminstrators guide has a very good example of all this (ftp) and how to setup the required rules. I found use of "log" in the rules very handy in sorting out problems.

I see you are using private address space but be carefull with the use of "any" in rules. Think about forwarding etc.

Why not use scp ot sftp since you have ssh?