Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
block|pass in|out [processing_options] [proto protocol] ip_selector
[protocol_options]
The ip_selector is the from...to IP address and port number specification or the keyword
all, as defined in Section 3.2 (page 16).
If you specify more than one processing option, you must specify them in the following order:
1. flags
2. with opt and with ipopt
3. with frag and with short
4. icmp-type and code
5. keep state
6. keep frags
In the following example, the user specifies the flags option and the keep option in order:
pass in quick proto tcp from any to 10.1.1.1 flags S keep state
3.5.2 Specifying TCP header flags: flags
Use the flags option to filter traffic by flags (control bits) in the TCP header. To specify the flags
option, you must also specify proto tcp. The syntax for the flags option is as follows:
flags flags[/flags_checked]
where flags are the TCP flags that must be set to match the filter and flags_checked are the
TCP flags checked. The values for flags and flags_checked are sequences of characters,
where each character is the initial character of a TCP flag name:
A (ACK - Acknowledgement)
F (FIN - No more data)
P (PUSH - Push function)
R (RST - Reset the connection)
S (SYN - Sychronize sequence numbers)
U (URG - Urgent)
See RFC 793, Transmission Control Protocol Specification for descriptions of TCP flags.
Flags specified in the flags_checked sequence but not in the flags sequence must be clear
to match the filter. For example, the flags S/SA specification matches packets with the SYN flag
set and the ACK flag cleared, but does not match packets with both the SYN flag and the ACK
flag set.
If you omit /flags_checked, IPFilter verifies all the TCP flags in the packet, so specifying flags
S is equivalent to specifying flags S/AFPRSU, and matches TCP packets that have the SYN flag
set and no other flags set.
To accommodate applications or user protocols that also set the URG or PSH flags when initiating
TCP connections, you can specify flags S/SAFR to allow SYN, SYN URG, or SYN PSH packets
but not allow SYN ACK packets. When flags S/SAFR or flags S/SA are not required,
specifing flags S (or flags S/AFPRSU) is more secure.
The flags keyword is typically used with the keep state feature, as described in Section 3.5.6.2
(page 23).
3.5.3 Specifying IP options: with opt and ipopts
IPFilter can filter packets based on IP options by using the with opt and with ipopts keywords.
Use the with opt keywords to filter packets with one or more IP options as follows:
with opt option[,option]
where option is one of the following abbreviations for an IP option:
addext (Address Extension)
3.5 Protocol options: TCP flags, IP options and fragments, ICMP types and state information 21