HPE Community
Operating System - HP-UX
1753834 Members
7625 Online
108806 Solutions
New Discussion юеВ

ipfilter

 
Larry Basford
Regular Advisor

тАО04-29-2007 03:47 PM

тАО04-29-2007 03:47 PM

ipfilter

I want to allow only ports 21 22 23
ssh
ftp
telnet
To everyone and all prorts to 172.16.0-8



Am I missing something here.

pass out quick on lan0 proto tcp from 172.16.1.100/21 to any keep state
pass out quick on lan0 proto udp from 172.16.1.100/21 to any keep state
pass out quick on lan0 proto icmp from 172.16.1.100/21 to any keep state

pass in quick on lan0 proto tcp from any to 172.16.1.100/21 port = 23 flags S keep state keep frags
pass in quick on lan0 proto tcp from any to 172.16.1.100/21 port = 22 flags S keep state keep frags
pass in quick on lan0 proto tcp from any to 172.16.1.100/21 port = 21 flags S keep state keep frags
pass out quick on lan0 proto tcp/udp from 172.16.1.100/21 to any keep state
pass in quick proto icmp from any to any
pass out quick proto icmp from any to any
pass in quick from 172.16.0.0/21 to any
pass out quick from any to 172.16.0.0/21
Desaster recovery? Right !
0 Kudos
Reply
4 REPLIES 4
Rasheed Tamton
Honored Contributor

тАО04-29-2007 06:01 PM

тАО04-29-2007 06:01 PM

Re: ipfilter


Try to get hold of Doc. UTRANKBRC00017096 from KnowledgeBase which explains ipfilter.

or IPFilter Config. Examples in this doc.
http://docs.hp.com/en/B9901-90021/B9901-90021.pdf

Also there are sample files in /opt/ipf/examples dir.

0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-29-2007 07:26 PM

тАО04-29-2007 07:26 PM

Re: ipfilter

Shalom,

How this peforms depends on local network configuration.

Are you using this HP-UX box as a router-firewall?

If so you may need a pass out command on each network. I'd need to see an ifconfig lan0 (or whatever lan we're dealing with here) and get some information on the overall environment to be able to understand and make recommendations.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Marco A.
Esteemed Contributor

тАО04-30-2007 12:46 AM

тАО04-30-2007 12:46 AM

Re: ipfilter

Hello,

#
# Allow outgoing connections: SSH, TELNET, FTP
#
pass in quick proto tcp from any to any port = 21 keep state
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 23 keep state

In case that you want to allow the external hosts to access your server as ftp, ssh or telnet, change the flag "in" to "out" .

And to add the rule only for your network 172.16.1.100/21, change the flag "any" to your net address.


Try to use also..

* from 172.16.1.1/21 to 172.16.8.254/21 * instead of 172.16.0-8 !



Hope this helps,

Rgds,
Just unplug and plug in again ....
0 Kudos
Reply
David Woodroffe
Frequent Advisor

тАО04-30-2007 02:01 PM

тАО04-30-2007 02:01 PM

Re: ipfilter

Ftp rules can be configured for a server and/or a client. In addition you have to decide if you are using active mode or passive mode as it affects the required rules. Also port 20 rules are required.

The HP IPFilter adminstrators guide has a very good example of all this (ftp) and how to setup the required rules. I found use of "log" in the rules very handy in sorting out problems.

I see you are using private address space but be carefull with the use of "any" in rules. Think about forwarding etc.

Why not use scp ot sftp since you have ssh?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.