Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
If UDP generates an ICMP error status message (such as icmp-type 3 code 3 port
unreachable or icmp- type 11 time exceeded) for this UDP session, IPFilter will apply
the rule to the ICMP packet and allow it to pass.
3.5.7 State aging
The system-defined state entry timeout values are:
ICMP—60 seconds
UDP—120 seconds
TCP—120 seconds
You can override the TCP default value when the connection is closed using the fr_tcptimewait
tunable, or by using the age option on a per-rule basis. The value specified in the rule gets priority
over the tunable value set at system level.
The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP is
supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout.
NOTE: This is available only on HP-UX 11i v3.
3.5.7.1 Rule examples
To pass outbound ICMP echo requests and keep state entry for 30 Sec until it receives ICMP reply:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state age 30
To keep UDP state entry for 40 Sec until it receives UDP reply back:
pass out on lan0 proto udp from any to any port 33434><33690 keep state age 40
To keep TCP state entry for 60 Sec after connection has been closed:
IMPORTANT: Use age in TCP rule only in case of a DOS-type attack (ACK flood and so forth)
because it modifies the timeout value of TIME_WAIT state in the TCP state table which can cause
duplicate Initial Sequence Numbers (ISN).
pass out on lan0 proto tcp from any to any port 33434><33690 keep state age 60
3.5.8 Handling IP fragments: keep frags
You can configure IPFilter to keep information about IP packets and to select subsequent IP packet
fragments. The keep frags keyword lets you configure IPFilter to pass fragmented packets while
blocking packets that might be forgeries or port scans trying to attack the system.
The keep frags option is valid only when used with the keep state option.
In the following example, the first two rules define the valid packets that are allowed to pass. The
keep state and keep frags keywords enable related IP fragments for those packets to pass.
The third and fourth block and log all other packets.
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port = 23 flags S keep state keep frags
pass out quick on lan0 proto tcp from any to any keep state flags S keep frags
block in log quick all
block out log quick all
In this example, every valid packet is entered into the state table before the blocking rules are
processed. To further protect the system, log initial SYN packets to detect SYN scans.
3.6 Sending responses for blocked TCP and UDP packets
When you use the block keyword, IPFilter drops the blocked packet and no response is sent to
the remote system that sent the packet. This can be a security risk, because it might alert an attacker
that a packet filter is running on the system. You can use the return-rst and
return-icmp-as-dest keywords to send appropriate responses to blocked packets.
26 Configuring and loading IPv4 filter rules