Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
111112113114115116117118119120
communications, the subject and target compartments should be of the processes that
are communicating and not that of the interface being used for communication. Each
rule is specified by protocol (TCP, UDP, or any raw protocol number) and the target
compartment, and can optionally filter based on local or peer port numbers (TCP and
UDP only). If an explicit rule does not match a communication attempt, the default is to
deny communication.
If the HP-UX ContainmentPlus product is installed on the system, the default rule for access
between two processes through loopback communications (excluding those through
loopback interfaces) is also configurable through the cmpt_allow_local tunable. See
ifconfig(1M) for more information about loopback interfaces.
See cmpt_allow_local(5) for more information upon installation of the HP-UX
ContainmentPlus product.
The syntax for a network rule is as follows:
(grant|deny) (server|client|bidir) (tcp|udp|raw [protonum] )
[port port_num] [peer[portport]] compartment_name
If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the
system, the network rules using the following formats are also supported:
(grant-local|deny-local) (server|client|bidir) (tcp|udp|raw [protonum] )
[port port_num] [peer[portport]] compartment_name
where:
Access Grants or denies the compartment access to the network traffic
in the specified compartment. The options are:
grant: Allows access to the network (both access
between a process and a network interface, as well as
between two processes using loopback communications)
described by this rule.
deny: Denies access to the network (both access between
a process and a network interface, as well as between
two processes using loopback communications) described
by this rule.
grant-local: Allows access described by this rule
between two processes using loopback communications.
The grant-local keyword is valid only if the HP-UX
ContainmentPlus product is installed on the system.
deny-local: Denies access described by this rule
between two processes using loopback communications.
The deny-local keyword is valid only if the HP-UX
ContainmentPlus product is installed on the system.
Direction Specifies which direction the rule applies to. The options are:
server: This rule applies to inbound requests only. For
TCP, only incoming connections are controlled by this
120 Compartments