Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
You can change the idle timeout value for TCP entries by modifying the fr_tcpidletimeout
kernel parameter. See Section C.2 (page 111) for more information.
3.5.6.3 Using keep state with UDP
You can configure IPFilter rules for UDP connections using the keep state keyword. IPFilter adds
an entry to the state table to match packets matching the filter specification in both directions. For
example:
pass out on lan0 proto udp from any to any port 33434><33690 keep state
State entry is added for incoming UDP connections. State entry is deleted from state table if any
one of following conditions is met:
UDP reply matches to the state entry created as part of corresponding UDP request
UDP entry has been idle for default timeout period
If age option has been specified as part of keep state rule and UDP entry has been idle for
the timeout period defined as part of age option. For more information on the age option,
see Section 3.5.7 Page 26.
3.5.6.3.1 Idle timeout
If a UDP state table entry is idle (no packets match the entry) for 120 seconds, IPFilter deletes the
entry.
3.5.6.4 Using keep state with ICMP
For some ICMP messages, the ICMP protocol defines a request and a corresponding reply message.
For example, the ICMP echo request (ICMP type 8) message (sent by the ping utility) has a
corresponding ICMP echo reply (ICMP type 0) message. You can configure a rule to pass outbound
ICMP echo requests and to pass in the subsequent ICMP echo replies. For example:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state
NOTE: To configure rules to keep state on any outbound ICMP messages that might receive a
reply ICMP message, you must specify both the proto icmp and the keep state options.
To prevent an attacker from sending ICMP messages through your firewall when an active connection
is known to be in your state table, check the incoming ICMP packet type and code, if applicable,
in addition to the source and destination addresses (and ports, if applicable).
State entry is added for incoming ICMP connections. State entry is deleted from state table if any
one of following conditions is met:
ICMP reply matches to the state entry created as part of corresponding ICMP request
ICMP entry has been idle for default timeout period
If age option has been specified as part of keep state rule and ICMP entry has been idle for
the timeout period defined as part of age option. For more information on the age option,
see Section 3.5.7 Page 26.
3.5.6.4.1 Idle timeout
If an ICMP state table entry is idle (no packets match the entry) for 60 seconds, IPFilter deletes the
entry.
3.5.6.4.2 ICMP error status messages
If TCP or UDP generates an ICMP error status message for a packet that matches an active state
table entry IPFilter will apply the rule for the TCP or UDP rule to the ICMP packet. For example:
pass out on lan0 proto udp from any to any port 33434><33690 keep state
3.5 Protocol options: TCP flags, IP options and fragments, ICMP types and state information 25