Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
41424344454647484950
44
Variable Name: ipf_for_ipsec.
Valid Input: yes or no.
Default:
no
.
6.1.7.2 Configuration Data
If the compartment address is an IPv4 address, SRP adds IPFilter rules to the
/etc/opt/ipf/ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter
rules to the /etc/opt/ipf/ipf6.conf file.
SRP adds the following IPFilter rules for the compartment, where cmpt_address is the compartment
IP address:
Rules that allow all TCP, UDP, and ICMP outbound packets from the compartment address.
These rules specify the keep state keywords to allow inbound replies for these packets:
pass out quick proto tcp from cmpt_address to any keep state
pass out quick proto udp from cmpt_address to any keep state
pass out quick proto icmp from cmpt_address to any keep state
If the compartment address is an IPv6 address, the last rule is pass out quick proto
icmpv6 from cmpt_address to any keep state.
A rule that allows inbound ICMP packets from any address to the compartment IP address:
pass in quick proto icmp from any to cmpt_address
If the compartment address is an IPv6 address, the rule is pass in quick proto icmpv6
from any to cmpt_address.
A rule that blocks all inbound packets to the compartment IP address:
block in quick from any to cmpt_address
Rule Order and Selection
By default, IPFilter selects a rule for a packet by reading the rules in a configuration file from top to
bottom and selects the last rule that matches a packet. The quick keyword changes this behavior
and causes IPFilter to immediately apply the rule to a packet if it matches the filter (instead of
continuing to evaluate rules for the packet). When using the quick keyword, rules are generally
ordered from most specific to least specific.
SRP specifies the quick keyword in the IPFilter rules it configures. SRP inserts these rules at the top of
the IPFilter configuration file in the order shown.
6.1.7.3 IPFilter Rules
for IPSec
If you specify that you want to add IPFilter rules for IPsec, SRP also adds IPFilter rules that allow IPsec
Encapsulating Security Payload (ESP; protocol 50) and Authentication Header (AH; protocol 51)
packets and IPsec control packets (Internet Key Exchange, or IKE; UDP port 500) to pass. These rules
are inserted above the more general IPFilter rules for the compartment. For more information, see
Using IPSec with IPFilter.