HPUX主机防火墙(IPF)简要配置方法
HPUX主机防火墙(IPF)简要配置方法 客户往往有对HPUX系统安全加固需求,这时ipfilter是个不错的选择。Ipfilter基本在HPUX系统都已安装,默认是禁用状态,下面做些简单介绍一些用法: 1.检查系统是否已安装这个软件,系统默认都已安装。 #swlist |grep -i ipf# IPFilter A.11.31.16 HP IPFilter 3.5alpha5 2.检查IPF状态,启用、禁用方法。默认为禁用状态。# ipf -Vipf: IPFilter is currently disabled # ipfilter –e #启用ipf,注意在启用时,网络会闪断2秒左右,然后恢复正常。Set 0 now inactiveSet 0 now inactive0 entries flushed from NAT table0 entries flushed from NAT listIPFilter Enabled # ipf –V #已启用ipf: HP IP Filter: v3.5alpha5 (A.11.31.16) (376)Kernel: HP IP Filter: v3.5alpha5 (A.11.31.16) Running: yesLog Flags: 0 = none setDefault: pass all, Logging: availableActive list: 1 # kcmodule -v -q pfil #检查这个模块是否已加载Module pfil (0.1)Description pfil :streams module for IPFilterTimestamp TueDec 2 13:23:01 2008 [4934C635]State loaded(via autoload)State at Next Boot auto (asrequested)Capable autostatic loaded unusedDepends On interfaceHPUX_11_31_PERF:1.0# kcmodule -v -q ipfModule ipf (0.1)Description ipf : wsiopseudo driver for IPFilterTimestamp TueDec 2 13:23:20 2008 [4934C648]State loaded (asrequested)State at Next Boot loaded (asrequested)Capable auto static loaded unusedDepends On module pfil:0.1.0 interfaceHPUX_11_31_PERF:1.0 # ipfilter –d #禁用IPF,同理也会导致网络闪断IPFilter Disabled 3.编写防火墙规则文件/etc/opt/ipf/ipf.conf. 假定本机只有一个IP,为192.168.0.6 blockin from any to 192.168.0.6/32 port = 22 #阻止ssh登陆本机 block in from any to 192.168.0.6/32 port = 23 #阻止telnet登陆本机 [font=Courier]passin from 192.168.0.5/32[font=Courier] to any #允许[font=Courier]192.168.0.5访问本机所有服务[font=Courier] ......根据需求,规则可以灵活编写,规则是执行顺序是:从前往后匹配,当一个数据包即符合第一条规则,又符合最后一条规则,默认为最后一条规则优先的原则。如果在block in quick ……. 如果加了这个选quick选 项,则数据包只要符前面的任意一条规则,则马上执行,不会再往下匹配。[font=Courier][size=9.0pt] [font=Courier] [font=Courier]4.加载规则到内存生效并确认。[font=Courier] #Ipf –Fa #清除已生效的规则,不会删除配置文件。[font=Courier] #Ipf –f /etc/opt/ipf/ipf.conf #将规则配置文件加载生效。[font=Courier] # ipfstat -iohempty list for ipfilter(out)block in from any to 192.168.0.6/32 port = 22 block in from any to 192.168.0.6/32 port = 23 pass in from 192.168.0.5/32 to any 5.查看数据包的是否有被阻止。 # ipfstat