HP-UX IPFilter V17.05 Administrator Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

3.5.4 with frag and with short: Selecting Fragmented IP Packets...................................................33

3.5.4.1 with frag: Selecting IP Packet Fragments........................................................................33

3.5.4.2 with short: Selecting Short Fragments............................................................................33

3.5.5 icmp-type and code: Filtering ICMP Traffic by Type and Code.............................................33

3.5.6 keep state: Protecting TCP, UDP, and ICMP Sessions.............................................................33

3.5.6.1 Allocating Memory for the State Table...........................................................................34

3.5.6.2 Using Keep State with TCP.............................................................................................34

3.5.6.2.1 Idle Timeout............................................................................................................35

3.5.6.3 Using Keep State with UDP............................................................................................35

3.5.6.3.1 Idle Timeout............................................................................................................35

3.5.6.4 Using Keep State with ICMP...........................................................................................35

3.5.6.4.1 Idle Timeout............................................................................................................36

3.5.6.4.2 ICMP Error Status Messages...................................................................................36

3.5.7 State Aging..............................................................................................................................36

3.5.7.1 Rule Examples.................................................................................................................36

3.5.8 keep frags: Handling IP Fragments........................................................................................36

3.6 Sending Responses for Blocked TCP and UDP Packets..................................................................38

3.6.1 return-rst: Responding to Blocked TCP Packets.....................................................................38

3.6.2 return-icmp-as-dest: Responding to Blocked UDP Packets....................................................38

3.7 Improving Performance with Rule Groups ....................................................................................39

3.8 Loading IPv4 Filter Rules................................................................................................................41

3.8.1 Verifying IPv4 Filter Rules......................................................................................................41

3.8.2 Removing IPFilter Rules..........................................................................................................42

3.9 Rule Tags.........................................................................................................................................42

3.9.1 Log Tags...................................................................................................................................42

3.9.2 NAT Tags.................................................................................................................................42

4 Configuring and Loading IPv6 Filter Rules................................................................43

4.1 IPv6 Filter Rules Configuration File................................................................................................43

4.2 Features Not Supported with IPv6..................................................................................................44

4.3 IPv6 Filter Rule Syntax Differences.................................................................................................44

4.3.1 Specifying Addresses..............................................................................................................44

4.3.2 Filtering ICMPv6 Packets........................................................................................................44

4.3.2.1 Stateful ICMPv6..............................................................................................................44

4.3.3 IPv6 Extension Headers..........................................................................................................45

4.3.4 Filtering Tunneled Packets......................................................................................................45

4.3.5 Filtering IPv6 Fragments.........................................................................................................46

4.3.6 Sending ICMPv6 Responses....................................................................................................46

4.4 Loading IPv6 Filter Rules................................................................................................................47

4.4.1 Verifying IPv6 Filter Rules......................................................................................................47

5 Configuring and Loading Dynamic Connection Allocation (DCA) Rules...............49

5.1 DCA with HP-UX IPFilter...............................................................................................................50

5.1.1 Overview: DCA Functionality................................................................................................50

5.1.1.1 Using DCA......................................................................................................................50

5.2 DCA Rules Configuration Files.......................................................................................................50

5.3 DCA Rule Syntax and Keywords....................................................................................................51

5.3.1 DCA Rule Conditions..............................................................................................................51

5.4 keep limit: Limiting Connections....................................................................................................51

5.4.1 Limiting Connections by IP Address......................................................................................51

5.4.2 Limiting Connections by Subnet.............................................................................................52

5.4.3 Limiting Connections by IP Address Range...........................................................................52

5.4.4 Default Individual Connection Limits....................................................................................52

4 Table of Contents