HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- bastille and IPFilter issues
Operating System - HP-UX
1827286
Members
1669
Online
109717
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2009 06:16 AM
10-21-2009 06:16 AM
bastille and IPFilter issues
Hi all,
I just added some custom IPFilter rules to a bastilled server, of course I added them in /etc/opt/sec_mgmt/bastille/ipf.customrules.
The I re-applied the bastille config with bastille -b and everything seems OK.
I checked with ipfstat -io and the new rules where there, I also look into ipf.conf and it was OK too but after a reboot of the server when I do an ipfstat -io the new rules aren't there.
Any ideas, am I doing something wrong?
Thx and rgds,
JMR
I just added some custom IPFilter rules to a bastilled server, of course I added them in /etc/opt/sec_mgmt/bastille/ipf.customrules.
The I re-applied the bastille config with bastille -b and everything seems OK.
I checked with ipfstat -io and the new rules where there, I also look into ipf.conf and it was OK too but after a reboot of the server when I do an ipfstat -io the new rules aren't there.
Any ideas, am I doing something wrong?
Thx and rgds,
JMR
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2009 06:22 AM
10-21-2009 06:22 AM
Re: bastille and IPFilter issues
More info:
If I perform:
mad_svr01 # /sbin/init.d/ipfboot stop
mad_svr01 # /sbin/init.d/ipfboot start
The new rules are correctly loaded It seems that the problem is only after a reboot of the server.
Rgrds,
If I perform:
mad_svr01 # /sbin/init.d/ipfboot stop
mad_svr01 # /sbin/init.d/ipfboot start
The new rules are correctly loaded It seems that the problem is only after a reboot of the server.
Rgrds,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2009 06:34 AM
10-22-2009 06:34 AM
Re: bastille and IPFilter issues
I that the reason is the rules are not in the ipf.conf file. When the system is restarting, ipfilter looks at the ipf.conf file for rules, and the custom rules you added were only added to an up and running system, not to the start-up routine. There are better admins than I who could tell you with more confidence.
If your additional rules work, then why not add them to your ipf.conf file. Not only will they be there at reboot, but if your system has lots of ip traffic, you can customize the rule order to make your ipfilter more efficient. For example, you might want to put your "block in quick ..." rules before your "pass out ..." rules so incoming packets can be dropped quicker, instead of progressing down the rule list eating up system resources.
Fred
If your additional rules work, then why not add them to your ipf.conf file. Not only will they be there at reboot, but if your system has lots of ip traffic, you can customize the rule order to make your ipfilter more efficient. For example, you might want to put your "block in quick ..." rules before your "pass out ..." rules so incoming packets can be dropped quicker, instead of progressing down the rule list eating up system resources.
Fred
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2009 08:03 AM
10-22-2009 08:03 AM
Re: bastille and IPFilter issues
Hi Fred.
I agree with you about the ipf.conf, but Bastille manual specifically say to put the new custom rules in the /etc/opt/sec_mgmt/bastille/ipf.customrules file.
Anyway I decided to revert the server to the so-called pre-bastille state and to setup its secuity manually, including IPFilter, password policies, etc.
Thx for your answer.
Rgrds,
---
JMR
I agree with you about the ipf.conf, but Bastille manual specifically say to put the new custom rules in the /etc/opt/sec_mgmt/bastille/ipf.customrules file.
Anyway I decided to revert the server to the so-called pre-bastille state and to setup its secuity manually, including IPFilter, password policies, etc.
Thx for your answer.
Rgrds,
---
JMR
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Support
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP