HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3
• 4-in-6
Use the following rule to filter 4-in-6 tunnel packets:
block in proto ip from any to any
4.3.5 Filtering IPv6 fragments
You can filter IPv6 fragments by specifying the v6hdrs frags keywords. Use the following rule
to filter IPv6 fragmented traffic:
block in proto udp from any to any with v6hdrs frags
Unlike IPv4, IPFilter does not maintain a fragment cache for IPv6 fragments.
4.3.6 Sending ICMPv6 responses
IPFilter supports the return-icmpv6-as-dest and return-icmpv6 keywords for IPv6. These
keywords are equivalent to the IPv4 keywords return-icmp-as-dest and return-icmp. The
primary use for these keywords is to send an ICMPv6 message with type destination
unreachable and code port unreachable in response to UDP packets sent to a blocked
port. For example:
block return-icmp-as-dest(port-unr) in quick proto udp from any to 2001:db8::2 port = 53
See Section 3.6.2 (page 27) for guidelines and more information about sending ICMP responses.
4.4 Loading IPv6 filter rules
By default, HP-UX IPFilter starts on bootup and loads IPv6 filter rules from the /etc/opt/ipf/
ipf6.conf file. If you do not want IPFilter to load IPv6 filter rules at bootup, place your rules in
an alternate location and then manually load the rules using the ipf command.
To load, flush, and switch the IPv6 filter rulesets, insert the -6 option before the other ipf ruleset
options. For example, to add new IPv6 rules to your ruleset from a file, use the -6 and -f options
with the ipf command:
ipf -6 -f rules_file
NOTE: When you load a ruleset, the new rules affect all matching packets immediately, including
packets for established connections. For example, if you load a new rule that blocks telnet
packets, IPFilter will block all telnet packets, including packets for established telnet
connections. The only exception to this behavior is for packets that match entries in the IPFilter state
table. IPFilter will continue to apply the existing action (pass or block) for these packets until the
state table entry times out or is deleted (such as when the connection is closed).
For more examples of commands to manage and load rulesets, see Section 3.8 (page 28) and
Section 10.1 (page 67).
4.4.1 Verifying IPv6 filter rules
You can use the following commands to verify IPv6 filter rules:
• Use the ipf -V command to verify that IPFilter is running.
• Use the ipfstat -6io command to list the active inbound and outbound rules.
• Use the ipfstat -6ioh command to list the active inbound and outbound rules and the
number of hits, or matching packets, for each rule.
For more information about IPFilter utilities, see Chapter 10 (page 67).
4.4 Loading IPv6 filter rules 33