Manualshelf

HP-UX IPFilter V17.05 Administrator Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
NOTE: The keep state keyword can create state entries even if it detects packets for a
connection that are part of the middle of a connection. The only exception to this is when the
rule specifies flags S. In this case, IPFilter creates a state table entry only when a TCP packet
with the SYN flag set is sent, and TCP sends these packets only at connection establishment time.
3.5.6.2.1 Idle Timeout
By default, IPFilter keeps TCP state table entries for idle, established TCP connections for 86,400
seconds (24 hours). If the connection is idle (no packets match the entry) for this time period,
IPFilter deletes the entry.
You can change the idle timeout value for TCP entries by modifying the fr_tcpidletimeout
kernel parameter. See “fr_tcpidletimeout” (page 142) for more information.
3.5.6.3 Using Keep State with UDP
You can configure IPFilter rules for UDP connections using the keep state keyword. IPFilter
adds an entry to the state table to match packets matching the filter specification in both directions.
For example:
pass out on lan0 proto udp from any to any port 33434><33690 keep state
State entry is added for incoming UDP connections. State entry is deleted from state table if any
one of following conditions is met:
UDP reply matches to the state entry created as part of corresponding UDP request
UDP entry has been idle for default timeout period
If age option has been specified as part of keep state rule and UDP entry has been idle for
the timeout period defined as part of age option. For more information on the age option,
see “State Aging” Page 36.
3.5.6.3.1 Idle Timeout
If a UDP state table entry is idle (no packets match the entry) for 120 seconds, IPFilter deletes
the entry.
3.5.6.4 Using Keep State with ICMP
For some ICMP messages, the ICMP protocol defines a request and a corresponding reply
message. For example, the ICMP echo request (ICMP type 8) message (sent by the ping utility)
has a corresponding ICMP echo reply (ICMP type 0) message. You can configure a rule to pass
outbound ICMP echo requests and to pass in the subsequent ICMP echo replies. For example:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state
NOTE: To configure rules to keep state on any outbound ICMP messages that might receive a
reply ICMP message, you must specify both the proto icmp and the keep state options.
To prevent an attacker from sending ICMP messages through your firewall when an active
connection is known to be in your state table, check the incoming ICMP packet type and code,
if applicable, in addition to the source and destination addresses (and ports, if applicable).
State entry is added for incoming ICMP connections. State entry is deleted from state table if any
one of following conditions is met:
ICMP reply matches to the state entry created as part of corresponding ICMP request
ICMP entry has been idle for default timeout period
If age option has been specified as part of keep state rule and ICMP entry has been idle for
the timeout period defined as part of age option. For more information on the age option,
see “State Aging” Page 36.
3.5 Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information 35