HP-UX IPFilter A.03.05.13 Release Notes HP-UX 11i v3 January 2007 Documentation Web Site: http://www.docs.hp.com Manufacturing Part Number : 5991-7706 E0107 United States © Copyright 2001-2007 Hewlett-Packard Development Company, L.P.
Legal Notices The information contained herein is subject to change without notice. Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. U.S. Government License Confidential computer software.
HP-UX IPFilter Release Notes Announcement 1 HP-UX IPFilter Release Notes Announcement HP-UX IPFilter, product number B9901AA version A.03.05.13 is a TCP/IP packet filter suitable for use as a system firewall to protect application servers. The firewall functions as a security defense by cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset of the functionality in the IPFilter 3.
HP-UX IPFilter Release Notes What’s in This Version What’s in This Version What’s New In This Version HP-UX IPFilter version A.03.05.13 contains the following enhancements: • Support of HP-UX IPFilter on X.
HP-UX IPFilter Release Notes What’s in This Version — IP protocol (IP/TCP/UDP) — IP fragments — IP options — IP security classes — TCP ports and port ranges — UDP ports and port ranges — ICMP message type and code — Combination of TCP flags — Interface • Allows control of incoming TCP connections through Dynamic Connection Allocation (DCA) • Supports NAT, which lets an intermediate HP-UX system act as a translator of IP addesses and network ports • Sends back ICMP error/TCP reset for blocked packets •
HP-UX IPFilter Release Notes Known Problems and Workarounds Known Problems and Workarounds • 6 The startup script for HP-UX IPFilter automatically disables the ip_forward_directed_broasts parameter. This keeps the system from being subjected to broadcast-storm attacks that can bring down a network.
HP-UX IPFilter Release Notes Unsupported Features Unsupported Features The following list of utilities and commands are a part of the open source IPFilter product. These utilities and commands are included with HP-UX IPFilter, but are not supported by HP.
HP-UX IPFilter Release Notes Supported and Unsupported Interfaces Supported and Unsupported Interfaces The following table lists the interfaces supported for each version of HP-UX IPFilter. CAUTION For all versions of HP-UX IPFilter, the unsupported interfaces do not interact with IPFilter. IPFilter does not block or protect the system from traffic on unsupported interfaces. NOTE HP-UX IPFilter A.03.05.13 does not support IPv6. HP-UX IPFilter is not tested with any third party products.
HP-UX IPFilter Release Notes Supported and Unsupported Interfaces Table 1-1 HP-UX IPFilter Supported Interfaces (Continued) HP-UX IPFilter Version Supported Interfaces A.03.05.14 • Ethernet (10Base-T) A.03.05.12 • Fast Ethernet (100Base-T) A.03.05.11.01 • Gigabit Ethernet (1000Base-T) A.03.05.10 • APA A.03.05.10.02 • VLAN A.03.05.06.
HP-UX IPFilter Release Notes Supported and Unsupported Interfaces The following interfaces are unsupported (not protected by HP-UX IPFilter) on any HP-UX IPFilter releases: • ATM • Hyperfabric • Frame Relay • PPP NOTE 10 HP-UX IPFilter only provides filtering for IP-based stacks.
HP-UX IPFilter Release Notes Compatibility Information and Installation Requirements Compatibility Information and Installation Requirements Software Requirements The system must have standard HP-UX 11i v3 core products installed on it. For HP-UX 11i v3, no patches are required.
HP-UX IPFilter Release Notes Enhancements Enhancements X.25 Support HP-UX IPFilter now supports filtering X.25 links when an IP stack is running on it. Enable and Disable HP-UX IPFilter Without Rebooting On HP-UX 11i v3, HP-UX IPFilter can be enabled or disabled using the /opt/ipf/bin/ipfilter command. Use of the command will not require a system reboot.
HP-UX IPFilter Release Notes Enhancements Kernel Tunables The ndd command and its variables are no longer supported. HP-UX IPFilter now uses the kctune command to query and configure kernel tunables. The available kernel tunables are: Name of Tunable Description fr_tcpidletimeout The timeout period of states kept on TCP connections that are idle. fr_statemax Restricts the number of state entries that can be created. ipl_buffer_sz Used to modify the size of the IPFilter logging buffer for /dev/ipl.
HP-UX IPFilter Release Notes Fixes in This Version Fixes in This Version The following problems have been fixed in HP-UX IPFilter version A.03.05.13 for HP-UX 11i v3. • JAGaf92106 (8606432667)—The way to increment pkts & bytes is illegal. • JAGaf15610 (8606354854)—Cannot delete “head keyword rule” by ipf -r -f command. • JAGaf92103 (8606432664)—When skip rule is set, the packet is blocked unspecified. • JAGag25611 (8606470526)—TCP packet dropped when IPFilter rules are in use.
HP-UX IPFilter Release Notes List of Documents Available with Product List of Documents Available with Product The following list contains documentation related to the HP-UX IPFilter product. • HP-UX IPFilter A.03.05.13 Administrator’s Guide (5991-7705) • HP-UX IPFilter A.03.05.13 Release Notes (5991-7706) HP-UX IPFilter documentation is available from the following sources: • The HP Technical Documentation Web Site at http://docs.hp.com/en/internet.
