Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
3.5.4.1 Selecting IP packet fragments: with frag
The with frag keyword selects IP packet fragments (IP packets with a non-zero fragment offset).
If you do not want IPFilter to pass IP packet fragments, specify the block action and the with
frag keywords. For example:
block in all with frag
3.5.4.2 Selecting short fragments: with short
You can configure IPFilter to drop packet fragments that are too short for comparison using the
with short keyword. This is useful for security purposes, because an attacker can use fragments
to attempt to access the system. For example:
block in all with short
3.5.5 Filtering ICMP traffic by type and code: icmp-type and code
You can filter specific types of ICMP traffic using the icmp-type and icmp-code keywords.
These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service (DoS)
attacks, but must allow certain types of ICMP messages in and out of your system. These keywords
are also useful when you want to block traffic from blocks of addresses but want to allow in ICMP
packets required for normal network operation. See Chapter 11 (page 72) for more information.
3.5.6 Protecting TCP, UDP, and ICMP sessions: keep state
Use keep state to select individual TCP, UDP, and ICMP sessions that exchange multiple packets.
This enables you to use a rule to select the first packet in a session and then apply the same rule
for all other packets in the session. For example, you can use the keep state option to allow
bidirectional packets for a session that originates from the local system while blocking similar
packets for session requests from remote systems. The keep state option also enables IPFilter
to distinguish legitimate traffic from port scan attacks and Denial of Service (DoS) attacks.
When a packet matches a rule with the keep state option, IPFilter creates an entry in its state
table with the source and destination IP addresses and protocol. If the protocol is TCP or UDP, the
entry also contains the source and destination port numbers. The entry is bidirectional and IPFilter
checks both inbound and outbound packets against the state table, so you do not need to configure
rules for the other inbound and outbound packets that match these parameters.
You can use keep state to limit the number of rules you must configure. Use keep state to
pass or block the first packet in a TCP, UDP, or ICMP session. If the protocol is TCP, you can specify
flags S to match to first packet in a TCP session (a TCP packet with only the SYN flag set).
For example, you can use the keep state keyword with IPFilter rules to protect an SSH server:
pass in quick proto tcp from any to 10.1.1.1/32 port = 22 flags S keep state
block out all
The keep state keyword causes IPFilter to create an entry in the state table after the first SYN
packet (flags S) received by the SSH server. The entry specifies the IP addresses, protocol, and
port numbers for the session. IPFilter will not check subsequent inbound or outbound packets
matching the state table entry against the IPFilter ruleset. This enables outbound responses for the
SSH session to pass, despite the block out all rule.
The following rules show keep state rules for TCP, UDP, and ICMP:
pass out quick proto tcp from 10.1.1.1/32 to any keep state
pass out quick proto udp from 10.1.1.1/32 to any keep state
pass out quick proto icmp from 10.1.1.1/32 to any keep state
For more examples of correct uses of the keep state keyword, see Appendix B (page 100).
3.5 Protocol options: TCP flags, IP options and fragments, ICMP types and state information 23