configured. HP-UX Bastille cannot detect whether the rule-set is appropriate for your needs. HP-UX Bastille can create a very basic firewall configuration.
WARNING! Firewalls are designed to keep people out of your machine. Therefore, the features in this section have the ability to keep you out too.
Blocked communication can include traffic from management applications like Serviceguard, System Insight Manager, OpenView, System Management Homepage, and others. To use communication from any application that is not explicitly allowed in one of the follow-up questions, please see that application's Firewall- or Bastille-interaction documentation for which ports to accept with the ipf.customrules file described below. The HP-UX Networking Ports Reference Guide is also helpful. The most problematic communications are externally-initiated, UDP, or RPC-based. Be careful when answering these questions. Verify that you can still log in to your machine remotely (and have physical access just in case) before logging out.
WARNING! IPFilter is only able to block traffic which is processed by the kernel. Network cards exist which take the processing of this traffic out of the kernel for performance reasons. This is referred to as TOE or TCP offload engine. If you are using such a card (can be used for iSCSI and 10Gb Ethernet), configuring an IPFilter-based firewall will have no effect for traffic processed by that card. Also, local traffic is not processed.
WARNING! This overwrites any existing firewall rules. If you already have sufficiently secure firewall rules in place, then say no to this question.
Answering yes to this question creates and applies firewall rules that:
•Block incoming traffic with ip options set. These options are used frequently by attackers and infrequently for any other purpose.
•Apply a custom rule-set from /etc/opt/sec_mgmt/bastille/ ipf.customrules. This file as delivered with HP-UX Bastille allows all outgoing connections and keeps track of them so that traffic which corresponds to those connections is allowed back in. This custom rule-set also contains rules to not log netbios nameserver, netbios datagram, and RPC portmap network traffic, all of which can fill up your logs rather quickly on a large network.
This basic configuration allows most local applications to operate properly without allowing attackers in through ports you don't use. You can add custom rules which better fit the specific needs of your environment. If you modify the custom file, rerun the HP-UX Bastille back-end (bastille -b) to apply the new rule-set.
IMPORTANT: Changing this file has the ability to either increase or decrease the security of your system. After applying this custom configuration, be sure to verify the active rule-set and the ipf.conf file to make sure the result is what you intended.
WARNING! If IPFilter is not enabled on your system,HP-UX Bastille enables it. This can bring down the network stack for about 10-15 seconds. All connections should be restored at that point, but all connections will suspend and some may be lost (including HP-UX Bastille's UI).
If your HP-UX Bastille connection is lost, check the results by running bastille -lto see if HP-UX Bastille correctly applied your configuration, or the action log for more detail. You can also save the HP-UX Bastille configuration file and run bastille -bon a console to check for HP-UX Bastille's full output real-time.
