https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205323#M733041 Hi all, <BR /><BR />I just added some custom IPFilter rules to a bastilled server, of course I added them in /etc/opt/sec_mgmt/bastille/ipf.customrules.<BR /><BR />The I re-applied the bastille config with bastille -b and everything seems OK. <BR /><BR />I checked with ipfstat -io and the new rules where there, I also look into ipf.conf and it was OK too but after a reboot of the server when I do an ipfstat -io the new rules aren't there. <BR /><BR />Any ideas, am I doing something wrong?<BR /><BR />Thx and rgds, <BR />JMR Wed, 21 Oct 2009 13:16:05 GMT jreypo 2009-10-21T13:16:05Z https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205323#M733041 Hi all, <BR /><BR />I just added some custom IPFilter rules to a bastilled server, of course I added them in /etc/opt/sec_mgmt/bastille/ipf.customrules.<BR /><BR />The I re-applied the bastille config with bastille -b and everything seems OK. <BR /><BR />I checked with ipfstat -io and the new rules where there, I also look into ipf.conf and it was OK too but after a reboot of the server when I do an ipfstat -io the new rules aren't there. <BR /><BR />Any ideas, am I doing something wrong?<BR /><BR />Thx and rgds, <BR />JMR Wed, 21 Oct 2009 13:16:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205323#M733041 jreypo 2009-10-21T13:16:05Z https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205324#M733042 More info:<BR /><BR />If I perform:<BR /><BR />mad_svr01 # /sbin/init.d/ipfboot stop<BR />mad_svr01 # /sbin/init.d/ipfboot start<BR /><BR />The new rules are correctly loaded It seems that the problem is only after a reboot of the server.<BR /><BR />Rgrds, Wed, 21 Oct 2009 13:22:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205324#M733042 jreypo 2009-10-21T13:22:45Z https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205325#M733043 I <THINK> that the reason is the rules are not in the ipf.conf file. When the system is restarting, ipfilter looks at the ipf.conf file for rules, and the custom rules you added were only added to an up and running system, not to the start-up routine. There are better admins than I who could tell you with more confidence. <BR /><BR />If your additional rules work, then why not add them to your ipf.conf file. Not only will they be there at reboot, but if your system has lots of ip traffic, you can customize the rule order to make your ipfilter more efficient. For example, you might want to put your "block in quick ..." rules before your "pass out ..." rules so incoming packets can be dropped quicker, instead of progressing down the rule list eating up system resources.<BR /><BR />Fred</THINK> Thu, 22 Oct 2009 13:34:44 GMT https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205325#M733043 Fred K. Abell Jr._1 2009-10-22T13:34:44Z https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205326#M733044 Hi Fred. <BR /><BR />I agree with you about the ipf.conf, but Bastille manual specifically say to put the new custom rules in the /etc/opt/sec_mgmt/bastille/ipf.customrules file.<BR /><BR />Anyway I decided to revert the server to the so-called pre-bastille state and to setup its secuity manually, including IPFilter, password policies, etc.<BR /><BR />Thx for your answer.<BR /><BR />Rgrds,<BR />---<BR />JMR Thu, 22 Oct 2009 15:03:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/bastille-and-ipfilter-issues/m-p/5205326#M733044 jreypo 2009-10-22T15:03:33Z