Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
3.5.1 Option order
If you specify protocol options, you must insert them after the ip_selector:
block|pass in|out [processing_options] [proto protocol] ip_selector
[protocol_options]
The ip_selector is the from...to IP address and port number specification or the keyword
all, as defined in Section 3.2 (page 16).
If you specify more than one processing option, you must specify them in the order listed below:
1. flags
2. with opt and with ipopt
3. with frag and with short
4. icmp-type and code
5. keep state
6. keep frags
In the following example, the user specifies the flags option and the keep option, and specifies
them in that order:
pass in quick proto tcp from any to 10.1.1.1 flags S keep state
3.5.2 Specifying TCP header flags: flags
Use the flags option to filter traffic by flags (control bits) in the TCP header. To specify the flags
option, you must also specify proto tcp. The syntax for the flags option is as follows:
flags flags[/flags_checked]
where flags are the TCP flags that must be set to match the filter and flags_checked are the
TCP flags checked. The values for flags and flags_checked are sequences of characters,
where each character is the initial character of a TCP flag name:
A (ACK - Acknowledgement)
F (FIN - No more data)
P (PUSH - Push function)
R (RST - Reset the connection)
S (SYN - Sychronize sequence numbers)
U (URG - Urgent)
See RFC 793, Transmission Control Protocol Specification for descriptions of TCP flags.
Flags specified in the flags_checked sequence but not in the flags sequence must be clear
to match the filter. For example, the specification
flags S/SA
matches packets with the SYN flag set and the ACK flag cleared, but does not match packets with
both the SYN flag and the ACK flag set.
If you omit /flags_checked, IPFilter checks all the TCP flags in the packet, so specifying flags
S is equivalent to specifying flags S/AFPRSU, and matches TCP packets that have the SYN flag
set and no other flags set.
To accommodate applications or user protocols that also set the URG or PSH flags when initiating
TCP connections, you can specify flags S/SAFR to allow SYN, SYN URG, or SYN PSH packets
but not allow SYN ACK packets. However, it is more secure to specify flags S (or flags
S/AFPRSU) when specifying flags S/SAFR or flags S/SA is not required.
The flags keyword is typically used with the keep state feature, as described in Section 3.5.6.2
(page 24).
3.5 Protocol options: TCP flags, IP options and fragments, ICMP types and state information 21