topic Re: IPfilter error in Operating System - HP-UX

IPfilter error

cabloy — Wed, 10 Mar 2010 08:39:26 GMT

Hi,

I'm having rx7640 server running on HPUX 11.31 version. I've already installed HP IPFilter 3.5alpha5. I want to allow access to some ip's & other ip's must be blocked and i configure the following rule.

block in from any to any
pass in from 127.0.0.1/32 to 127.0.0.1/32
pass in from 10.123.161.48/32 to any
block out from any to any
pass out from any to 127.0.0.1/32
pass out from any to 10.123.161.48/32

But the problem is after enabling the rule within 3 minutes server was not accessible
We try to ping the server and the output is request timeout. What we do just to access the server is using console. We'll stop the module and remove the rule.

Please help us on what to do. Do we have any setting or kernel parameters to configure?

thanks.

Re: IPfilter error

Johnson Punniyalingam — Wed, 10 Mar 2010 08:56:01 GMT

Hi ,

Check below thread,

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1408066

also you consider, using the /var/adm/inetd.sec

Rgds,

Re: IPfilter error

cabloy — Wed, 10 Mar 2010 09:11:48 GMT

Thanks Johnson, But our problem was in the IPFILTER rule. After enabling the rule no one can't access the server except the ip that we define in the /etc/rc.config.d/ipfconf. But after 3 minutes were not able to access the server. It blocks all the connections including the IP the we define in the ipfconf. The only way to access the server is using the console.

For your reference also below is the settings of /etc/rc.config.d/ipfconf

# cat /etc/rc.config.d/ipfconf
#
# Directory where IP Filter configuration files are kept
#
IPF_CONFDIR=/etc/opt/ipf
#
# Packet filtering configuration file for IPv4
#
IPF_CONF=${IPF_CONFDIR}/ipf.conf
#
# Packet filtering configuration file for IPv6
#
IPF6_CONF=${IPF_CONFDIR}/ipf6.conf
#
# Network address translation configuration file
#
IPNAT_CONF=${IPF_CONFDIR}/ipnat.conf
#
# Load the ipfilter module ?
# 1 = Start, 0 = Do not start
#
IPF_START=1
#
# Set DCA mode ?
# 1 = Set DCA mode, 0 = Do not set DCA mode
#
DCA_START=0
#
# Start ipmon ?
# 1 = Start, 0 = Do not start
#
IPMON_START=1
#
# Options to start ipmon with
#
IPMON_FLAGS=-sD

Re: IPfilter error

Johnson Punniyalingam — Wed, 10 Mar 2010 09:26:45 GMT

>>pass in from 10.123.161.48/32 to any <<

Can please check above line which you posted

I am not sure , if rules will follow backwards

pass in from 10.123.161.32/48 to any

Looks to me may its incorrect , well you give a try.. :)

Re: IPfilter error

cabloy — Wed, 10 Mar 2010 09:48:06 GMT

Sir 10.123.161.48 is my IP address.

Re: IPfilter error

Horia Chirculescu — Wed, 10 Mar 2010 09:53:38 GMT

Hello,

>Sir 10.123.161.48 is my IP address.

block in from any to any
pass in from 127.0.0.1/32 to 127.0.0.1/32
pass in from 10.123.161.48/32 to any
block out from any to any
pass out from any to 127.0.0.1/32
pass out from any to 10.123.161.48/32

So you are denying traffic from other servers except from your local server. This would definitively conduct to:

>server was not accessible
We try to ping the server and the output is request timeout. What we do just to access the server is using console.

You would have a real problem if you woun't have physical access to the console.

Horia.

Re: IPfilter error

cabloy — Thu, 11 Mar 2010 03:03:27 GMT

Hi Horia

Yes were trying to block some ip & others are allowed to access the server using IPFilter.

Just for the sake of testing I define 1 IP w/c is 10.123.161.48. When i apply the rule, it run smoothly no one can access the server except for the 10.123.161.48

But after 3 minutes, all connections was block no one can access the server.

My question are:
Is my rules correct, Do i need to configure any setting or kernel parameters to adjust.

Please help.

Re: IPfilter error

cabloy — Mon, 15 Mar 2010 04:29:02 GMT

Hi to all,

Any idea on the case. Please help us.

thanks.