HPE Community
Operating System - HP-UX
1825002 Members
2818 Online
109678 Solutions
New Discussion юеВ

Re: IPfilter error

 
SOLVED
Go to solution
cabloy
Advisor

тАО03-10-2010 12:39 AM

тАО03-10-2010 12:39 AM

IPfilter error

Hi,

I'm having rx7640 server running on HPUX 11.31 version. I've already installed HP IPFilter 3.5alpha5. I want to allow access to some ip's & other ip's must be blocked and i configure the following rule.

block in from any to any
pass in from 127.0.0.1/32 to 127.0.0.1/32
pass in from 10.123.161.48/32 to any
block out from any to any
pass out from any to 127.0.0.1/32
pass out from any to 10.123.161.48/32

But the problem is after enabling the rule within 3 minutes server was not accessible
We try to ping the server and the output is request timeout. What we do just to access the server is using console. We'll stop the module and remove the rule.

Please help us on what to do. Do we have any setting or kernel parameters to configure?

thanks.

0 Kudos
Reply
7 REPLIES 7
Johnson Punniyalingam
Honored Contributor

тАО03-10-2010 12:56 AM

тАО03-10-2010 12:56 AM

Solution

Re: IPfilter error

Hi ,

Check below thread,

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1408066

also you consider, using the /var/adm/inetd.sec

Rgds,

Problems are common to all, but attitude makes the difference
Reply
cabloy
Advisor

тАО03-10-2010 01:11 AM

тАО03-10-2010 01:11 AM

Re: IPfilter error

Thanks Johnson, But our problem was in the IPFILTER rule. After enabling the rule no one can't access the server except the ip that we define in the /etc/rc.config.d/ipfconf. But after 3 minutes were not able to access the server. It blocks all the connections including the IP the we define in the ipfconf. The only way to access the server is using the console.

For your reference also below is the settings of /etc/rc.config.d/ipfconf

# cat /etc/rc.config.d/ipfconf
#
# Directory where IP Filter configuration files are kept
#
IPF_CONFDIR=/etc/opt/ipf
#
# Packet filtering configuration file for IPv4
#
IPF_CONF=${IPF_CONFDIR}/ipf.conf
#
# Packet filtering configuration file for IPv6
#
IPF6_CONF=${IPF_CONFDIR}/ipf6.conf
#
# Network address translation configuration file
#
IPNAT_CONF=${IPF_CONFDIR}/ipnat.conf
#
# Load the ipfilter module ?
# 1 = Start, 0 = Do not start
#
IPF_START=1
#
# Set DCA mode ?
# 1 = Set DCA mode, 0 = Do not set DCA mode
#
DCA_START=0
#
# Start ipmon ?
# 1 = Start, 0 = Do not start
#
IPMON_START=1
#
# Options to start ipmon with
#
IPMON_FLAGS=-sD
0 Kudos
Reply
Johnson Punniyalingam
Honored Contributor

тАО03-10-2010 01:26 AM

тАО03-10-2010 01:26 AM

Re: IPfilter error

>>pass in from 10.123.161.48/32 to any <<

Can please check above line which you posted

I am not sure , if rules will follow backwards

pass in from 10.123.161.32/48 to any


Looks to me may its incorrect , well you give a try.. :)



Problems are common to all, but attitude makes the difference
Reply
cabloy
Advisor

тАО03-10-2010 01:48 AM

тАО03-10-2010 01:48 AM

Re: IPfilter error

Sir 10.123.161.48 is my IP address.
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО03-10-2010 01:53 AM

тАО03-10-2010 01:53 AM

Re: IPfilter error

Hello,

>Sir 10.123.161.48 is my IP address.

block in from any to any
pass in from 127.0.0.1/32 to 127.0.0.1/32
pass in from 10.123.161.48/32 to any
block out from any to any
pass out from any to 127.0.0.1/32
pass out from any to 10.123.161.48/32

So you are denying traffic from other servers except from your local server. This would definitively conduct to:

>server was not accessible
We try to ping the server and the output is request timeout. What we do just to access the server is using console.

You would have a real problem if you woun't have physical access to the console.

Horia.
Best regards from Romania,
Horia.
Reply
cabloy
Advisor

тАО03-10-2010 07:03 PM

тАО03-10-2010 07:03 PM

Re: IPfilter error

Hi Horia

Yes were trying to block some ip & others are allowed to access the server using IPFilter.

Just for the sake of testing I define 1 IP w/c is 10.123.161.48. When i apply the rule, it run smoothly no one can access the server except for the 10.123.161.48

But after 3 minutes, all connections was block no one can access the server.

My question are:
Is my rules correct, Do i need to configure any setting or kernel parameters to adjust.

Please help.

0 Kudos
Reply
cabloy
Advisor

тАО03-14-2010 09:29 PM

тАО03-14-2010 09:29 PM

Re: IPfilter error

Hi to all,

Any idea on the case. Please help us.

thanks.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.