HP UX Bastille User Manual page 49

configured. HP-UX Bastille cannot detect whether the rule-set is appropriate
for your needs. HP-UX Bastille can create a very basic firewall configuration.
WARNING! Firewalls are designed to keep people out of your machine.
Therefore, the features in this section have the ability to keep you out too.
Blocked communication can include traffic from management applications
like Serviceguard, System Insight Manager, OpenView, System Management
Homepage, and others. To use communication from any application that is
not explicitly allowed in one of the follow-up questions, please see that
application's Firewall- or Bastille-interaction documentation for which ports
to accept with the ipf.customrules file described below. The HP-UX
Networking Ports Reference Guide is also helpful. The most problematic
communications are externally-initiated, UDP, or RPC-based. Be careful when
answering these questions. Verify that you can still log in to your machine
remotely (and have physical access just in case) before logging out.
WARNING!
IPFilter is only able to block traffic which is processed by the
kernel. Network cards exist which take the processing of this traffic out of the
kernel for performance reasons. This is referred to as TOE or TCP offload
engine. If you are using such a card (can be used for iSCSI and 10Gb Ethernet),
configuring an IPFilter-based firewall will have no effect for traffic processed
by that card. Also, local traffic is not processed.
WARNING! This overwrites any existing firewall rules. If you already have
sufficiently secure firewall rules in place, then say no to this question.
Answering yes to this question creates and applies firewall rules that:
• Block incoming traffic with ip options set. These options are used
frequently by attackers and infrequently for any other purpose.
• Apply a custom rule-set from /etc/opt/sec_mgmt/bastille/
ipf.customrules. This file as delivered with HP-UX Bastille allows
all outgoing connections and keeps track of them so that traffic which
corresponds to those connections is allowed back in. This custom rule-set
also contains rules to not log netbios nameserver, netbios datagram, and
RPC portmap network traffic, all of which can fill up your logs rather
quickly on a large network.
This basic configuration allows most local applications to operate properly
without allowing attackers in through ports you don't use. You can add custom
rules which better fit the specific needs of your environment. If you modify
the custom file, rerun the HP-UX Bastille back-end (bastille -b) to apply
the new rule-set.
IMPORTANT:
Changing this file has the ability to either increase or decrease
the security of your system. After applying this custom configuration, be sure
to verify the active rule-set and the ipf.conf file to make sure the result is
what you intended.
WARNING! If IPFilter is not enabled on your system,HP-UX Bastille enables
it. This can bring down the network stack for about 10-15 seconds. All
connections should be restored at that point, but all connections will suspend
and some may be lost (including HP-UX Bastille's UI).
If your HP-UX Bastille connection is lost, check the results by running
bastille -l to see if HP-UX Bastille correctly applied your configuration,
or the action log for more detail. You can also save the HP-UX Bastille
configuration file and run bastille -b on a console to check for HP-UX
Bastille's full output real-time.
49