Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
cipso (Commercial Security)
e-sec (Extended Security)
eip (Extended Internet Protocol)
encode (Encode)
finn (Flow Control - experimental)
imitd (IMI Traffic Descriptor)
lsrr (Loose Source Route, or Loose Source Record Route)
mtup (MTU Probe - decremented)
mtur (MTU Response - decremented)
nop (No Operation)
rr (Record Route)
satid (Stream ID)
sec (Security)
ssrr (Strict Source Route, or Strict Source Record Route)
tr (Traceroute)
ts (Time Stamp)
visa (Access Control - experimental)
zsu (Measurement - experimental)
The IANA list of assigned IP option numbers specifies the numeric values for the IP options and
lists the documents that define these options. This list is available on the IANA website:
http://www.iana.org/assignments/ip-parameters
For example, the following rule blocks all IP packets with the Loose Source Record Route (LSRR) or
Strict Source and Record Route (SSRR) option set:
block in quick all with opt lsrr, ssrr
3.5.3.1 Specifying options not set: not opt
You can also configure rules to pass or block packets that do not have a specific option set:
with [opt option] not opt option
For example:
pass in from any to any with opt ssrr not opt lsrr
3.5.3.2 Specifying any IP options: ipopts
Use the keywords with ipopts to select packets with any IP options set or with not ipopts
to select packets that have no IP options set. For example:
block in all with ipopts
3.5.4 Selecting fragmented IP packets: with frag and with short
The with frag and with short keywords enable you to select IP packet fragments and short
IP packets.
3.5.4.1 Selecting IP packet fragments: with frag
The with frag keyword selects IP packet fragments (IP packets with a non-zero fragment offset).
If you do not want IPFilter to pass IP packet fragments, specify the block action and the with
frag keywords. For example:
block in all with frag
3.5.4.2 Selecting short fragments: with short
You can configure IPFilter to drop packet fragments that are too short for comparison using the
with short keyword. This is useful for security purposes, because an attacker can use fragments
to attempt to access the system. For example:
22 Configuring and loading IPv4 filter rules