Ignite-UX Administration Guide for HP-UX 11i (B3921-90079, October 2013)
pass in log quick proto tcp/udp from any to any port = 2121
pass in log quick proto tcp/udp from any to any port 49152 >< 65535
pass in log quick proto tcp from any to any port = 20
pass in log quick proto tcp from any to any port = 21
pass in log quick proto tcp from any to any port = 22
pass in log quick proto tcp from any to any port = 514
pass in log quick proto icmp from any to any icmp-type 8 keep state
pass in log quick proto tcp from any port = 514 to any keep state
c. In the IPFilter Module of Bastille, change the following line to Yes if it is not already.
Should Bastille setup basic firewall rules with these properties?
d. Run Bastille.
# bastille -b -f your_configuration_file
6. If a Bastille baseline had been created for the system, update that baseline.
# bastille_drift --save_baseline baseline
Enabling Ignite-UX Client Requirements
To make sure Ignite-UX requirements are enabled on the client, you must first discover your current
lockdown state and then modify that state, if necessary, to allow the NFS daemon and rtools
services to run. You must also allow access to certain ports used by an Ignite-UX client.
1. Discover your current lockdown state.
• If you are using Bastille 3.0 or later, create a configuration report. The report will be
created in /var/opt/sec_mgmt/bastille/log/Assessment/
assessment-log.config.
# bastille --assessnobrowser
• If you are using a version of Bastille earlier than 3.0, get the latest configuration file used
by Bastille.
# bastille -l
NOTE: If you get the message
NOTE: The system is in its pre-bastilled state.
there is no need to proceed with this configuration, as daemons, services, and ports required
by Ignite-UX are not locked-down in the pre-bastille state.
2. Copy the last configuration file used or the assessment report to a place of your choice.
3. Bring up the latest configuration in the Bastille GUI.
# bastille --os [HP-UX11.00 | HP-UX11.11 | HPUX11.23 | HPUX11.31] -f filename
4. Make sure the settings in your configuration file for the NFS daemon and rtools service are
set to No. Note that if you have to change a setting from Yes to No, you will likely be required
to enable that daemon or service on your system in order to use it. After you have made
changes, save the configuration file to a place of your choice.
Would you like to deactivate the NFS client daemons?
Should Bastille ensure that the login, shell, and exec services do not run on this system?
5. To update your firewall or have Bastille create a new one:
a. Backup your /etc/opt/ipf/ipf.conf file to a place of your choice.
b. Update the port information for the Bastille-enabled HP-UX IPFilter firewall by editing the
file /etc/opt/sec_mgmt/bastille/ipf.customrules and making the following
changes:
• Add the words keep frags to the end of the udp outgoing rule line so it looks like
pass out quick proto udp all keep state keep frags
• Add the following lines after the End allow outgoing rules section.
Modifying a Bastille-Hardened System to Operate with Ignite-UX 91