topic Re: ipf -D persistent in Operating System - HP-UX

ipf -D persistent

Jose M. del Rio — Thu, 24 Jun 2010 06:55:29 GMT

Hi,
I'm using IPFilter v. 16 on HP-UX 11.31.
I would like to disable IPFilter processing for the heartbeat interfaces (Oracle RAC cluster).
I know "ipf -D interface" does the trick but the change is not persistent (next reboot will clear the exception).
I was considering adding the command to /sbin/init.d/ipfboot but I would like to know before if there is another way to do it.
Thanks.

Re: ipf -D persistent

Fred K. Abell Jr._1 — Thu, 24 Jun 2010 17:59:49 GMT

Jose,
Maybe I'm not understanding what you want to do. Can you just not start it? Edit the /etc/rc.config.d/ipfconf file and make IPF_START=0 instead of =1.

Re: ipf -D persistent

Jose M. del Rio — Sat, 26 Jun 2010 06:00:22 GMT

The servers have two interfaces:
- lan900 to the corporate network
- lan901 tp the heartbeat network.
I want IPfilter to monitor lan900 but to exempt lan901.

Re: ipf -D persistent

Fred K. Abell Jr._1 — Mon, 28 Jun 2010 13:25:33 GMT

In your ipf.conf file, make the rules lan specific. For example:

block in quick on lan0 proto udp from any to any port = netbios_ns

This "block in" command for udp packets will only be applied to lan0. If all your rules are set to work on lan901, then lan900 will be ignored. If you had the following:

block in quick proto udp from any to any port = netbios_ns

then all lans would be filtered.

Fred

Fred

Re: ipf -D persistent

Jose M. del Rio — Mon, 28 Jun 2010 13:34:07 GMT

I know.
In fact, as a workaround, we are doing:
pass out quick on lan901
pass in quick on lan901
The matter is: this way, IPFilter does process all packets from lan901, although allowing them to pass.
However, my understanding is that "ipf -D lan901" does not process packets from lan901.