UNIX System Administration Handbook - Evi Nemeth [193]
DHCP can also be configured with SAM. Compatibility issues may arise when HP-UX clients are mixed with non-HP-UX servers, or vice versa.
Dynamic reconfiguration and tuning for HP-UX
As in Solaris, you can use the ndd command to tune many different networking parameters (over 100 at last count). When used interactively, ndd tunes values on the fly. To change values permanently, enter them in the file /etc/rc.config.d/nddconf, which is read at boot time.
ndd’s -h (help) option is quite useful. With no arguments, it lists all the parameters you can tune. If you also specify a variable name, ndd -h describes what the variable does and shows its minimum, maximum, and default values. For example:
% ndd -h | grep source
ip_forward_src_routed - Controls forwarding of source routed packets
% ndd -h ip_forward_src_routed
ip_forward_src_routed:
Set to 1 to forward source-routed packets; set to 0 to
disable forwarding. If disabled, an ICMP Destination
Unreachable message is sent to the sender of source-
routed packets needing to be forwarded. [0,1] Default: 1
ndd’s output shows that this version (11.00) of HP-UX allows forwarding of source-routed packets by default. (Let’s hope that when a default value such as forwarding of source-routed packets is changed, the documentation in the ndd help database is changed as well.) To view and change the value of the ip_forward_src_routed variable, use ndd’s -get and -set options.
% ndd -get /dev/ip ip_forward_src_routed
1
% sudo ndd -set /dev/ip ip_forward_src_routed 0
% ndd -get /dev/ip ip_forward_src_routed
0
To turn off source routing permanently, you could add the following lines to the nddconf file:
# turn off forwarding source routed packets
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_forward_src_routed
NDD_VALUE[0]=0
For the next variable that you wanted to change, you would add another copy of the same three lines with appropriate values and with subscript 1 instead of 0. Unfortunately, only 10 parameters can be set through nddconf.
Security, firewalls, filtering, and NAT for HP-UX
Table 13.19 shows HP-UX’s default behavior with regard to various touchy network issues. For a brief description of the implications of these behaviors, see page 295. You can modify most of them with ndd.
Table 13.19 Security-related network behaviors in HP-UX
a. On with >1 network interface, off otherwise.
HP-UX does not include any firewalling or IP filtering software, except for network connections established with PPP. See the next section for specifics. NAT is not supported either. Darren Reed is porting his free IPFilter package to HP-UX; it should be ready by the end of 2000.
HP-UX’s version of inetd has built-in TCP wrapper functionality that you configure in the file /var/adm/inetd.sec. See page 666 for details.
We recommend that you use a dedicated piece of hardware such as a Cisco PIX box as your packet filtering firewall; UNIX hosts are too insecure to be used in this role. If you wonder in exactly what ways HP has shipped you an insecure system, check
http://people.hp.se/stevesk/bastion11.html
to see all the steps necessary to turn an HP-UX 11.00 host into a bastion host on an unprotected network. This document is an excellent description of all the creature comforts in HP-UX that must be turned off if the machine is to be secure on the open Internet. We wish we knew of a web site like this for our other example vendors.
PPP configuration for HP-UX
HP ships Morning Star’s PPP software, which makes use of tun, the HP-UX IP tunnel driver. HP-UX’s PPP configuration is very similar to that of Solaris. Both systems use HoneyDanBer UUCP configuration as a model, with Sun just jamming it in and HP moving the files and describing them appropriately in their man pages.
Table 13.20 shows the HP-UX files. See the section on