Monday, August 06, 2007

Firewalling HP-UX with IP Filter (ipf)

Configuring IP Filter on a HP-UX 11i installation

Check if IP Filter is installed:

# swlist | grep IPF
B9901AA A.03.05.12 HP IPFilter 3.5alpha5

The IP Filter configuration is stored in:

/etc/opt/ipf/ipf.conf

IP Filter starts on boot by default and processes the rules file /etc/opt/ipf/ipf.conf.

Verify that IP Filter is running:

# ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.03.05.12) (400)
Kernel: HP IP Filter: v3.5alpha5 (A.03.05.12)
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1

To (re)load IPFilter:

# /sbin/init.d/ipfboot start

To check statistics:

# ipfstat

To test a set of ipf rules without putting them in place, you can use the ipftest(1) tool.

The default log file for ipmon is /var/adm/syslog/syslog.log

Here is a commented example rule file set:

/etc/opt/ipf/ipf.conf



#IPFilter configuration file

# block incoming packets with ip options set
block in log quick all with ipopts

# These rules will allow connections initiated from
# this host along with the return connection
pass out quick proto icmp all keep state
pass out quick proto tcp all keep state
pass out quick proto udp all keep state

####################################################
# End allow outgoing rules #
####################################################
# These rules specifically do not log netbios udp or portmapper
# packets because these protocols tends to be very noisy on networks
block in quick proto udp from any to any port = netbios_ns
block in quick proto udp from any to any port = netbios_dgm
block in quick proto udp from any to any port = portmap

#####################################################################
# The following rules explicitly allow certain types of connections#
#####################################################################

# Allow SecureShell incoming connections on alternate port
pass in quick proto tcp from any to any port = 9451 flags S keep state keep frags

# Allow Oracle incoming connections:

# Oracle iSQL*Plus
pass in quick proto tcp from any to any port = 5560 keep state

# Oracle Enterprise Manager (em)
pass in quick proto tcp from any to any port = 1158 keep state

# Oracle database
pass in quick proto tcp from any to any port = 1521 keep state

# Oracle agent
pass in quick proto tcp from any to any port = 1830 keep state

##################################################################
# Oracle 9i Installation
##################################################################

#Oracle http
pass in quick proto tcp from any to any port = 7777 keep state

#Oracle https
pass in quick proto tcp from any to any port = 7778 keep state
pass in quick proto tcp from any to any port = 4443 keep state

pass in quick proto tcp from any to any port = 3566 keep state

##################################################################
#Block any incoming connections which were not explicitly allowed#
##################################################################

block in log all

Remember, if you're doing this remote via ssh, make sure you have iLO access in case you mess up and block ssh by mistake.

You can also use Bastille (download from hp.com) to generate a ruleset.

Read the HP-UX IPFilter Administrator's Guide for more details.

0 comments: