HP-UX IPFilter A.03.05.07 will soon be available at the software depot for download. It will also be available for September 2003 Application Release for HP-UX 11.0 and 11.11.
HP-UX IPFilter A.03.05.07 for HP-UX 11.11 contains new features and fixes listed
below:
New Features supported:
~~~~~~~~~~~~~~~~~~~~~~
1) Dynamic Connection Allocation (DCA) (previously known as "Anti-Spam Filter")
is a new feature in IPFilter that is designed to run on an intermediate system
that sits in front of a server (or set of servers). It allows limits to be
placed on incoming connections, thereby protecting the server from excessive traffic. An example is to protect MMPF mail servers from excessive SPAM.
Using DCA, administrators can set the number of concurrent connections that are allowed from:
* an IP address;
* each IP address in an IP subnet range;
* an IP subnet range where all the IP addresses in that subnet share the
cumulative limit;
* unknown IP addresses where each unknown IP address has its own connection
limit.
Connections that exceed the limiting value are dropped and if configured, a TCP
reset is sent.
A set of new commands collect statistics about the controlled connections, such
as source and destination IP address, the allocated number of connections, the
number of active connections, and the number of times the connections limit exceeded.
It also provides logging records by IP addresses or subnets, allowing the
administrator to fine tune the rules configured.
2) Full NAT support includes NAT related rules and rule configuration: map,
bimap, rdr, map-block, ipnat.
All perimeter firewall features are still not supported. The following listed
functionality are included with HP-UX IPFilter, but not supported:
* local and remote failover
* fastroute, ipscan: It provides some very basic content filtering capability
that is yet to completely supported in the public domain.
* ipsyncs, ipsyncm: They are the sync slave and the sync master daemons that
synchronize state/NAT state between two IPFilter hosts. This functionality is
incomplete and not supported fully in public domain.
* ipfs: ipfs is used in the context of state synchronization and cannot be
supported without ipsyncs and ipsyncm.
* ipsend, ipresend: They are testing utilities.
* application/FTP proxy/reverse proxy: It is an excluded perimeter firewall
feature. Current FTP proxy functionality is broken and incomplete.
Bug Fixes:
~~~~~~~~~~
* JAGae50391 - HA local failover DPF: Customer's system, using IPFilter
A.03.05.05 with MC/ServiceGuard configured for 3 pairs of primary/standby
interfaces, panicked when cmcld is switching lan i/f.
* JAGae62830 - syslog message "NOTICE: PFIL: cannot find interface
for q xxxxxxxxxxxxxxxx"
* JAGae75702: IPFilter: 'wait_for_lock panic' in pfilstrmodrput() due to low
memory
HP-UX IPFilter A.03.05.07 for HP-UX 11.0 contains the bug fixes mentioned above,
but does not include support for the new features described above (DCA & NAT).
This information is provided in advance in order for those who wish this improved capabililty in IPFilter, and need to schedule (e.g., change managment).
At the end of installation, it automatically reboots; as result, it replaces the previous version and works with the previous version with no problem. The previous version does not need to be uninstalled first.
Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
