Manualshelf

HP-UX IPFilter V17.05 Administrator Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
3.5.6.4.1 Idle Timeout
If an ICMP state table entry is idle (no packets match the entry) for 60 seconds, IPFilter deletes
the entry.
3.5.6.4.2 ICMP Error Status Messages
If TCP or UDP generates an ICMP error status message for a packet that matches an active state
table entry IPFilter will apply the rule for the TCP or UDP rule to the ICMP packet. For example:
pass out on lan0 proto udp from any to any port 33434><33690 keep state
If UDP generates an ICMP error status message (such as icmp-type 3 code 3 port
unreachable or icmp- type 11 time exceeded) for this UDP session, IPFilter will apply
the rule to the ICMP packet and allow it to pass.
3.5.7 State Aging
The system-defined state entry timeout values are:
ICMP—60 seconds
UDP—120 seconds
TCP—120 seconds
You can override the TCP default value when the connection is closed using the fr_tcptimewait
tunable, or by using the age option on a per-rule basis. The value specified in the rule gets priority
over the tunable value set at system level.
The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP
is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout.
NOTE: This is available only on HP-UX 11i v3.
3.5.7.1 Rule Examples
To pass outbound ICMP echo requests and keep state entry for 30 Sec until it receives ICMP
reply:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state age 30
To keep UDP state entry for 40 Sec until it receives UDP reply back:
pass out on lan0 proto udp from any to any port 33434><33690 keep state age 40
To keep TCP state entry for 60 Sec after connection has been closed:
IMPORTANT: Use age in TCP rule only in case of a DOS-type attack (ACK flood and so forth)
because it modifies the timeout value of TIME_WAIT state in the TCP state table which can cause
duplicate Initial Sequence Numbers (ISN).
pass out on lan0 proto tcp from any to any port 33434><33690 keep state age 60
3.5.8 keep frags: Handling IP Fragments
You can configure IPFilter to keep information about IP packets and to select subsequent IP
packet fragments. The keep frags keyword lets you configure IPFilter to pass fragmented
packets while blocking packets that might be forgeries or port scans trying to attack the system.
The keep frags option is valid only when used with the keep state option.
In the following example, the first two rules define the valid packets that are allowed to pass.
The keep state and keep frags keywords enable related IP fragments for those packets to
pass. The third and fourth block and log all other packets.
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port = 23 flags S keep state keep frags
pass out quick on lan0 proto tcp from any to any keep state flags S keep frags
block in log quick all
block out log quick all
36 Configuring and Loading IPv4 Filter Rules