HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

3.5.6.4 Using keep state with ICMP................................................................................25

3.5.6.4.1 Idle timeout...............................................................................................25

3.5.6.4.2 ICMP error status messages.........................................................................25

3.5.7 State aging..............................................................................................................26

3.5.7.1 Rule examples....................................................................................................26

3.5.8 Handling IP fragments: keep frags...............................................................................26

3.6 Sending responses for blocked TCP and UDP packets............................................................26

3.6.1 Responding to blocked TCP packets: return-rst................................................................27

3.6.2 Responding to blocked UDP packets: return-icmp-as-dest.................................................27

3.7 Improving performance with rule groups .............................................................................27

3.8 Loading IPv4 filter rules.....................................................................................................28

3.8.1 Verifying IPv4 filter rules.............................................................................................29

3.8.2 Removing IPFilter rules...............................................................................................29

3.9 Rule tags.........................................................................................................................30

3.9.1 Log tags...................................................................................................................30

3.9.2 NAT tags.................................................................................................................30

4 Configuring and loading IPv6 filter rules......................................................31

4.1 IPv6 filter rules configuration file..........................................................................................31

4.2 Features not supported with IPv6.........................................................................................31

4.3 IPv6 filter rule syntax differences.........................................................................................31

4.3.1 Specifying addresses..................................................................................................31

4.3.2 Filtering ICMPv6 packets............................................................................................32

4.3.2.1 Stateful ICMPv6.................................................................................................32

4.3.3 IPv6 extension headers..............................................................................................32

4.3.4 Filtering tunneled packets...........................................................................................32

4.3.5 Filtering IPv6 fragments..............................................................................................33

4.3.6 Sending ICMPv6 responses........................................................................................33

4.4 Loading IPv6 filter rules.....................................................................................................33

4.4.1 Verifying IPv6 filter rules.............................................................................................33

5 Configuring and loading dynamic connection allocation (DCA) rules..............34

5.1 DCA with HP-UX IPFilter.....................................................................................................34

5.1.1 DCA functionality overview..........................................................................................34

5.1.1.1 Using DCA.........................................................................................................34

5.2 DCA rules configuration files..............................................................................................34

5.3 DCA rule syntax and keywords...........................................................................................35

5.3.1 DCA rule conditions...................................................................................................35

5.4 Limiting connections: keep limit...........................................................................................35

5.4.1 Limiting connections by IP address...............................................................................35

5.4.2 Limiting connections by subnet....................................................................................36

5.4.3 Limiting connections by IP address range......................................................................36

5.4.4 Default individual connection limits..............................................................................36

5.5 Returning RESET packets: return-rst.......................................................................................36

5.6 Limiting cumulative connections: cumulative..........................................................................36

5.7 Logging exceeded connections: log limit..............................................................................36

5.7.1 Summary logs and cumulative limits.............................................................................37

5.8 Log frequency: log limit freq...............................................................................................37

5.9 Loading and modifying DCA rules......................................................................................38

5.9.1 Updating keep limit rules............................................................................................38

5.9.1.1 Changing the current individual, subnet, or IP address range rule..............................38

5.9.1.2 Updating a subnet or IP address range rule............................................................39

5.9.2 Adding new keep limit rules........................................................................................39

4 Contents