HPE Community
Operating System - HP-UX
1754978 Members
3190 Online
108828 Solutions
New Discussion

ipfilter and ipftest problem

 
SOLVED
Go to solution
Andreas Tsamis
Advisor

‎02-08-2012 04:20 AM

‎02-08-2012 04:20 AM

ipfilter and ipftest problem

Hello,

I have a 11.31 HPUX installed on itanium. I'm setting up ipfilters and tried to test some rules

 

# IPFilter              A.11.31.17.05  HP IPFilter 3.5alpha5
  IPFilter.IPF-HP       A.11.31.17.05  HP IPFilter 3.5alpha5
  IPFilter.PFIL-HP      A.11.31.17.05  HP IPFilter PFIL Interface

 

I have a rule that allows udp's in out in a range of ports.

 

grep 192.168. /tmp/ipf_temp.conf

pass in quick proto udp from 192.168.1.0/24 to 192.168.1.0/24 port = 5300 keep state
pass out quick proto udp from  192.168.1.0/24 port = 5300 to 192.168.1.0/24 keep state
pass in quick proto udp from 192.168.1.0/24 to 192.168.1.0/24 port 137 >< 138 keep state
#pass in quick proto udp from 192.168.1.0/24 to 192.168.1.0/24 port = 138 keep state
pass out quick proto udp from  192.168.1.0/24 port 137 >< 138 to 192.168.1.0/24 keep state

 

ipftest shows this rule as blocked

 

ipftest -r /tmp/ipf_temp.conf
opening rule file "/tmp/ipf_temp.conf"
in udp 192.168.1.1,138 192.168.1.255,138
input: in udp 192.168.1.1,138 192.168.1.255,138
block ip 28(20) 17 192.168.1.1,138 > 192.168.1.255,138
--------------
in udp 192.168.1.1,138 192.168.1.25,137
input: in udp 192.168.1.1,138 192.168.1.25,137
block ip 28(20) 17 192.168.1.1,138 > 192.168.1.25,137

 

If i remove the >< and replace it by port = 137 or port = 138 it allows it to pass

 

Is there anything wrong with my test input or the ipf.conf rules

 

Thanks

Andreas

0 Kudos
Reply
4 REPLIES 4
Matti_Kurkela
Honored Contributor

‎02-09-2012 08:17 AM

‎02-09-2012 08:17 AM

Solution

Re: ipfilter and ipftest problem

pass in quick proto udp from 192.168.1.0/24 to 192.168.1.0/24 port 137 >< 138 keep state

 

This would allow the UDP traffic if the port number is greater than 137 but less than 138. Since the port numbers must be integers (i.e. port 137.5 cannot exist), there are no ports that could sastisfy this condition.

MK
Reply
Andreas Tsamis
Advisor

‎02-15-2012 01:01 AM

‎02-15-2012 01:01 AM

Re: ipfilter and ipftest problem

Thanks.

Logical :) i thought that the values 137 and 138 were included. So if i want to include the two values whats the syntax? Except the now obvious 136><139 ?

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎02-15-2012 12:02 PM

‎02-15-2012 12:02 PM

Re: ipfilter and ipftest problem

http://coombs.anu.edu.au/~avalon/examples.html#ports

 

There does not seem to be a way to specify a port range in inclusive fashion, so as far as I understand, 136><139 is the only way.

MK
0 Kudos
Reply
Andreas Tsamis
Advisor

‎02-20-2012 09:56 PM

‎02-20-2012 09:56 PM

Re: ipfilter and ipftest problem

Thanks for your help :)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.