HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3
3.6.1 Responding to blocked TCP packets: return-rst
When TCP receives a packet for a TCP port that is not open or a packet that is inappropriate for
the TCP state, TCP normally sends a Reset (RST) packet. The return-rst keyword directs IPFilter
to return an RST packet to the sender. The return-rst keyword is valid in the following rules:
• Rules that block inbound packets (block in rules).
• Dynamic Connection Allocation (DCA) rules (keep limit rules), as shown in Section 5.3
(page 35).
To use the return-rst keyword in a rule that blocks inbound packets, insert the return-rst keyword
after the block keyword. For example, the following rule blocks inbound telnet requests and
generates a TCP RST packet:
block return-rst in quick on lan0 proto tcp from any to 10.10.10.0/24 port = 23
When you configure a return-rst rule, HP recommends that you also configure a rule that
explicitly allows the outbound RST packet to pass. For example:
block return-rst in quick on lan0 proto tcp from any to 10.10.10.0/24 port = 23
pass out quick on lan0 proto tcp from any port = 23 to any flags R/RSFUP
3.6.2 Responding to blocked UDP packets: return-icmp-as-dest
The return-icmp-as-dest keyword directs IPFilter to send an ICMP response. Specifying
return-icmp-as-dest(port-unr) directs IPFilter to send an ICMP message with type
destination unreachable and code port unreachable (port-unr). This ICMP message
is the normal system response for packets sent to UDP ports that are not in use. Insert the
return-icmp-as-dest(port-unr) keyword after block. For example:
block return-icmp-as-dest(port-unr) in quick proto udp from any to 20.20.20.0/24 port = 53
The return-icmp-as-dest directs IPFilter to send an ICMP response that uses the original
destination address (the destination address of the incoming packet that triggered the response)
as the source address instead of the local system's address. This prevents attackers from determining
that you are using the local system as a packet filter. IPFilter also supports the return-icmp
keyword, which causes IPFilter to send the return ICMP packet with the IP address of the local
system (the address of the interface used to transmit the response), but HP recommends that you
use the return-icmp-as-dest keyword instead.
3.7 Improving performance with rule groups
Rule groups allow you to write your ruleset in a tree structure, instead of as a linear list, so if an
incoming packet is unrelated to a set of rules, those rules will never be processed. This reduces
IPFilter processing time on each packet and improves IPFilter system performance.
The following is a simple rule group example:
block out quick on lan1 all head 10
pass out quick proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10
block out on lan2 all
In this example, if a packet is not going to be transmitted using lan1, the head of rule group 10
does not match; IPFilter does not process any of the rules in group 10. Rules processing continues
at the root level (group 0). If a packet is going to be transmitted using lan1, the quick keyword
stops further processing at the group 0 level. IPFilter then evaluates all rules in group 10 against
the packet.
Rule groups can be used to break up a complex firewall ruleset. For example, there are three
interfaces in the firewall with interfaces lan0, lan1, and lan2.
• lan0 is connected to external network 20.20.20.0/26.
• lan1 is connected to DMZ network 20.20.20.64/26.
• lan2 is connected to protected network 20.20.20.128/25.
3.7 Improving performance with rule groups 27