HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3
3.5.6.1 Allocating memory for the state table
The amount of memory allocated for the state table is determined by the kernel tunable parameter
fr_statemax. In most deployments, the default value is sufficient. For information about modifying
the fr_statemax value, see Section C.3 (page 112) .
3.5.6.2 Using keep state with TCP
You can configure rules with the flags and keep state keyword to select packets for TCP
connections initiated in a specific direction. To do this, use the flags option to select the first
packet used to initiate a TCP connection and add the keep state keyword to select subsequent
packets for the connection. The first packet used to initiate a TCP connection has the SYN flag set,
but not the ACK flag, and in most cases have no other flags set other than the SYN flag.
For example, the following ruleset uses the flags S specification to select packets for telnet
connection requests (TCP port 23) sent from the local system (10.1.1.1). The keep state keywords
also allows subsequent TCP packets for these connections to pass. These rules allow only the
following packets:
• Outbound TCP connection requests (TCP SYN flag set and no other flags set) for telnet (port
23)
• The packets used to finish establishing the TCP connections for the outbound telnet requests
• Inbound and outbound packets for the established telnet connections
pass out quick proto tcp from 10.1.1.1/32 to any port = 23 flags S keep state
block in quick all
block out all
With the previous ruleset, IPFilter enters the first packet of an outbound telnet connection in the
state table. When the three-way TCP handshake has been recorded by the state engine, the
connection is marked as fully established (the state is set to 4/4). The state table entry is set for
long-term data exchange until the connection ends; at that time the state changes again. You can
see the current states for entries in the state table using ipfstat. See Section 9.1 (page 53) for
more information.
The flags keyword also prevents badly-formed TCP packets from entering your system. For example,
you can configure a web server (10.2.2.2) with the following ruleset:
pass in quick proto tcp from any to 10.2.2.2/32 port = 80 flags S keep state
block in quick all
block out all
With the previous ruleset, IPFilter allows in valid connection requests (TCP packets with only the
SYN flag set) for the HTTP service (TCP port 80). The keep state keywords directs IPFilter to
enter packet information in the state table to allow subsequent packets for those connections. This
rule set has two advantages:
• No badly-formed TCP packets are allowed in or added to the state table.
• TCP port scan attacks that send TCP packets with inappropriate flags set will fail, such as FIN
scan attacks. In FIN scan attacks, an attacker sends TCP packets with the SYN and FIN flags
set to elicit TCP RST packets and determine the ports open on a system for connection requests.
NOTE: The keep state keyword can create state entries even if it detects packets for a
connection that are part of the middle of a connection. The only exception to this is when the rule
specifies flags S. In this case, IPFilter creates a state table entry only when a TCP packet with
the SYN flag set is sent, and TCP sends these packets only at connection establishment time.
3.5.6.2.1 Idle timeout
By default, IPFilter keeps TCP state table entries for idle, established TCP connections for 86,400
seconds (24 hours). If the connection is idle (no packets match the entry) for this time period, IPFilter
deletes the entry.
24 Configuring and loading IPv4 filter rules