HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

Fabric OS 6.1.1 administrator guide 127
For every IP Filter policy, the following two rules are always assumed to be appended implicitly to the end
of the policy. This is to ensure TCP and UDP traffics to dynamic port ranges is allowed, that way
management IP traffic initiated from a switch, such as syslog, radius and ftp, is not affected.
A switch with Fabric OS 5.3.0 or later will have a default IP Filter policy for IPv4 and IPv6. The default IP
Filter policy cannot be deleted or changed. When an alternative IP Filter policy is activated, the default IP
Filter policy becomes deactivated. Table 32 lists the rules of the default IP Filter policy.
IP Filter policy enforcement
An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4
management traffic will pass through the active IPv4 filter policy, and IPv6 management traffic will pass
through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress) management traffic
only. When a packet arrives, it is compared against each rule, starting from the first rule. If a match is
found for the source address, destination port, and protocol, the corresponding action for this rule is taken,
and the subsequent rules in this policy will be ignored. If there is no match, it is compared to the next rule
in the policy. This process continues until the incoming packet is compared to all rules in the active policy.
If none of the rules in the policy matches the incoming packet, the two implicit rules will be matched to the
incoming packet. If the rules still do not match the packet, the default action, which is to deny, will be
taken.
When the IPv4 or IPv6 address for the management interface of a switch is changed through the
ipAddrSet command or manageability tools, the active IP Filter policies will automatically become
enforced on the management IP interface with the changed IP address.
NOTE: If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the
NAT server configuration, the source address in an IP Filter rule may have to be the NAT server address.
Table 31 Implicit IP Filter rules
Source address Destination port Protocol Action
Any 1024-65535 TCP Permit
Any 1024-65535 UDP Permit
Table 32 Default IP policy rules
Rule number Source address Destination
port
Protocol Action
1Any22TCPPermit
2Any23TCPPermit
3Any897TCPPermit
4 Any 898 TCP Permit
5 A n y 111 T C P P e r m i t
6Any80TCPPermit
7Any443TCPPermit
9Any161UDPPermit
1 0 A n y 111 U D P P e r m i t
11 A n y 12 3 U D P P e r m i t
12 A ny 6 0 0 -1023 U D P Pe r mi t