Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
4.3.2 Filtering ICMPv6 packets
To filter ICMPv6 messages by type and code, specify proto icmpv6 (or proto ipv6icmp)
and use the keywords icmpv6-type and code. See Section 11.3 (page 76) for more information.
4.3.2.1 Stateful ICMPv6
IPFilter can retain state information for ICMPv6 Request-Response messages. The only supported
message types are Echo Request and Echo Reply.
4.3.3 IPv6 extension headers
You can block or pass packets according to IPv6 extension headers. A simplified rule syntax is as
follows
block|pass in|out [processing_options] [proto protocol] ip_selector
with v6hdrs ipv6_header
where:
processing_options is one or more processing options, such as quick. See Section 3.4
(page 19) for more information.
ip_selector is the IP address specification using the keyword all, or the from and to keywords
and IPv6 addresses and optional ports. See Section 3.2 (page 16) for more information.
protocol is the protocol name or number. See Section 3.2 (page 16) for more information.
ipv6_header is a series of one of the following IPv6 header extension types, separated by
commas (,):
dstopts (Destination options header)
hopopts (Hop-by-hop options header)
mobility (Mobile IPv6 Mobility header)
routing (Routing options header)
ah (IPsec Authentication Header)
esp (IPSec Encapsulating Security Payload)
ipv6 (IPv6 tunneled packets)
For example, to block all TCP packets with a Routing options header, use the following rule:
block in proto tcp from any to any with v6hdrs routing
To block all UDP packets with destination option and mobility headers, use the following rule:
block in proto udp from any to any with v6hdrs dstopts,mobility
NOTE: Extension headers are matched explicitly. A packet with only a destination option header
will not match the previous rule. Only packets with both mobility and destination option headers
will match the rule.
4.3.4 Filtering tunneled packets
HP-UX IPFilter can filter the following types of tunnel packets:
6-in-4
Use the following rule to filter 6-in-4 tunnel packets:
block in proto 41 from any to any
6-in-6
Use the following rule to filter 6-in-6 tunnel packets:
block in proto 41 from any to any
32 Configuring and loading IPv6 filter rules