HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
Firewall Building Concepts
Using Keep State with ICMP
Chapter 5 77
Using Keep State with ICMP
The majority of ICMP messages are status messages generated by a
failure in UDP or TCP. For any ICMP error status message that matches
an active state table entry that might have generated that message,
IPFilter passes the ICMP packet. For example:
pass out on lan0 proto udp from any to any port 33434><33690
keep state
Even though an error status message (such as icmp-type 3 code 3
port unreachable or icmp- type 11 time exceeded) for the UDP
session is an ICMP packet, the keep state rule passes the error
message.
The two types of ICMP messages are requests and replies. You can
configure a rule to pass outbound echo requests such as ping. IPFilter
passes in the subsequent icmp-type 0 packet that returns. For example:
pass out on lan0 proto icmp from any to any icmp-type 8 keep
state
This state entry has a default timeout of an incomplete 0/0 state of 60
seconds.
NOTE If you configure rules to keep state on any outbound ICMP messages that
might receive a reply ICMP message, you must use both the proto icmp
and the keep state keywords.
To provide protection against a third party sneaking ICMP messages
through your firewall when an active connection is known to be in your
state table, check the incoming ICMP packet not only for matching
source and destination addresses (and ports, when applicable), but a tiny
part of the payload of the packet that the ICMP message is claiming it
was generated by.