HP-UX IPFilter

The security product, HP-UX IPFilter version A.03.05.13, provides system firewall capabilities by filtering IP packets to control traffic in and out of a system.

Summary of Change

What’s New for Customers Migrating from HP-UX 11i v1 September 2005?

HP-UX IPFilter version A.03.05.13 is functionally equivalent to HP-UX IPFilter version A.03.05.12 for HP-UX 11i v1 and HP-UX 11i v2, except for the changes mentioned in the following sections.

HP-UX IPFilter version A.03.05.13 contains defect fixes and minor enhancements. It also includes the following new features and major enhancements:

Filtering on X.25 interfaces
Filtering on 10GigE interfaces
IPFilter is not plumbed into the networking stack by default
No reboot required to enable IPFilter

For more information on defect fixes, see the HP-UX IPFilter A.03.05.13 Release Notes, available at http://docs.hp.com/en/internet.html#HP-UX%20IPFilter.

HP-UX IPFilter is not Plumbed into the Networking Stack by Default
By default HP-UX IPFilter is installed but not configured, as it is not plumbed into the networking stack. The user needs to enable HP-UX IPFilter, after which the relevant module will be plumbed into the networking stack. For more details, see the HP-UX IPFilter A.03.05.13 Administrator’s Guide, available at http://docs.hp.com/en/internet.html#HP-UX%20IPFilter.
No Reboot Required to Enable HP-UX IPFilter
Once installed, the default state of HP-UX IPFilter is disabled. No reboot is required to enable HP-UX IPFilter. However, enabling IPFilter will involve a short network outage. For more information, see the HP-UX IPFilter A.03.05.13 Administrator’s Guide.

What’s New for Customers Migrating from HP-UX 11i v2 June 2006?

HP-UX IPFilter version A.03.05.13 is functionally equivalent to HP-UX IPFilter version A.03.05.12 for HP-UX 11i v1 and HP-UX 11i v2, except for the changes mentioned previously. See “What’s New for Customers Migrating from HP-UX 11i v1 September 2005?”

Impact

HP-UX IPFilter is not enabled by default and, therefore, is not providing filtering security. However, if Bastille/ITS is used, with the Sec20MngDMZ or Sec30DMZ install time security levels, then HP-UX IPFilter will be automatically enabled.

Enabling HP-UX IPFilter does not require a reboot but does involve a brief network outage. HP Serviceguard customers or anyone running timing sensitive applications should schedule an appropriate time to enable HP-UX IPFilter.

For more information on enabling HP-UX IPFilter, see the HP-UX IPFilter version A.03.05.13 Administrator's Guide, available at http://docs.hp.com/en/internet.html#HP-UX%20IPFilter.

Compatibility

There are no known compatibility issues.

Performance

There are no known performance issues.

Documentation

For further information, see the following manpages:

ipf(4): packet filtering kernel interface
ipf(5): IP packet filter rule syntax
ipf(8): alters packet filtering kernel’s internal lists
ipl(4): data structure for IP packet log device
ipmon(8): monitors /dev/ipl for logged packets
ipstat(8): reports on packet filter statistics and filter list
iptest(1): test packet rules with arbitrary input

In addition, see the following documents, available at http://docs.hp.com/en/internet.html#HP-UX%20IPFilter:

HP-UX IPFilter version A.03.05.13 Administrator’s Guide
HP-UX IPFilter A.03.05.13 Release Notes

Obsolescence

Tunable parameters ipl_buffer_sz, ipl_suppress, and ipl_logall are now tuned using the kctune command and not ndd. The ndd variable, cur_iplbuf_sz, was used to check the size of the log buffer and buffer space currently used. This variable is no longer available. These values can now be obtained using ipfstat -B. See the IPFilter Administrator's Guide for more details.