Contact Us Contact Us

HP-UX IPFilter

  Software Depot
Electronic download
Frequently asked questions
Product details & specifications
Receive for Free
Overview

HP-UX IPFilter (B9901AA) is a stateful system firewall that filters IP packets to control packet flow in or out of a system. The firewall functions as a security defense by reducing exposure points on a system.

HP-UX IPFilter is based on IPFilter v3.5 Alpha 5 from the open source community. HP-UX IPFilter consists of kernel components and user-space utilities. HP-UX IPFilter kernel components are installed as Dynamically Loadable Kernel Modules (DLKMs) by default. HP-UX IPFilter V18.21 also supports various features in open source IPFilter 4.1.24.

Key Benefits

HP-UX IPFilter:

  • Protects an individual host on an intranet against internal attacks
  • Protects an individual host on an intranet against external attacks that have breached perimeter defenses
  • Provides an alternative to the restricted configuration of Internet Services
  • Protects a bastion host on the perimeter of a protected network or in a Demilitarized Zone (DMZ)

Major Features

You can use HP-UX IPFilter to:

  • Explicitly permit or deny a packet from passing through a system based on the following characteristics:
    • IP address or a range of IP addresses
    • IP protocol (ICMP/ICMPv6/TCP/UDP)
    • IP fragments
    • IP options
    • IP security classes
    • TCP port number or port range
    • UDP port number or port range
    • ICMP and ICMPv6 message type and code
    • TCP flags
    • Network interface card
  • Control the flow rate of incoming TCP connections through Dynamic Connection Allocation (DCA; see below).
  • Use Network Address Translation (NAT), which enables an intermediate HP-UX system to map or translate IP addesses and TCP or UDP ports.
  • Generate and transmit the appropriate ICMP error message or TCP RESET packet for blocked UDP or TCP packets.
  • Keep state information for TCP connections. This enables you to select all packets in a TCP connection according to characteristics of the initial connection packet and apply the same rule to all packets in the connection. IPFilter also keeps state information for UDP and ICMP exchanges.
  • Keep fragment state information for IP packets. This enables you to apply the same rule to all fragments.
  • Drop all fragmented traffic if specified by rule.
  • Log events and packet data as appropriate.
  • Support IPv6.
  • Support IPv4 address pools.

Dynamic Connection Allocation (DCA)

The HP-UX implementation of IPFilter provides the Dynamic Connection Allocation (DCA) feature. DCA protects and mitigates against DOS attacks where an attacker floods a system with TCP connection requests. You can use DCA to limit the number of inbound connections based on Source IP, IP subnet, IP address range, or a wildcard IP address. The connection allocation is done by configuring DCA rules which specify a limit value for the number inbound concurrent TCP connections permitted from a given source. For details on DCA rules and commands, see the HP-UX IPFilter V18.0 Administrator Guide for 11i v3.

What's New

HP-UX IPFilter V18.21 provides defect fixes and performance enhancements for 11i v3. For details, see the release notes.

 

Support for LARGE NAT feature in IPFilter

  1. Enabling LARGE NAT allows fine tuning of IPFilter NAT HASH table sizes. Tuning the HASH table sizes may reduce the number of HASH collisions, which results in faster search in the HASH tables.
  2. Incorporated fine grained locking (as compared to previous release) during NAT operation.
  3. Performance increase can be seen as a result of (1) and (2) under suitable conditions.

This release also includes the following features for 11i v3 originally released on version 17 and version 18:

 

  • Rate-based filtering
  • Address pooling
  • State aging
  • Rule tags
  • Sticky NAT sessions
  • Health connection check with l4check
  • IPFilter log event analysis

 

HP-UX IPFilter version 17.05 for HP-UX 11i v2 only contains bug fixes. For details, see the release notes.

Additional Documentation

For online access to product documentation, see the following documents:

 

 

Always refer to the release notes for the latest product information.

 

 
Additional product information
Product #: B9901AA
Version: 18.21
Software specification: HP-UX IPFilter A.11.31.18.21for HP-UX 11i v3 (IPFilter_A.11.31.18.21_HP-UX_B.11.31_IA_PA.depot)
HP-UX IPFilter A.11.31.18.10 for HP-UX 11i v3( IPFilter_A.11.31.18.10_HP-UX_B.11.31_IA_PA.depot)
HP-UX IPFilter A.11.31.18.0 for HP-UX 11i v3(IPFilter_A.11.31.18.00_HP-UX_B.11.31_IA_PA.depot)
HP-UX IPFilter A.11.31.17.05 for HP-UX 11i v3(IPFilter_A.11.31.17.05_HP-UX_B.11.31_IA_PA.depot)
HP-UX IPFilter A.11.23.17.05 for HP-UX 11i v2(B9901AA_A.11.23.17.05_HP-UX_B.11.23_IA_PA.depot)
HP-UX IPFilter A.11.11.15.01 for HP-UX 11i v1(B9901AA_A.11.11.15.01_HP-UX_B.11.11_32_64.depot)
Installation
Receive for Free