HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3
For example, the following ruleset uses the flags S specification to select packets for telnet
connection requests (TCP port 23) sent from the local system (10.1.1.1). The keep state keywords
also allows subsequent TCP packets for these connections to pass. These rules allow only the
following packets:
• Outbound TCP connection requests (TCP SYN flag set and no other flags set) for telnet (port
23)
• The packets used to finish establishing the TCP connections for the outbound telnet requests
• Inbound and outbound packets for the established telnet connections
pass out quick proto tcp from 10.1.1.1/32 to any port = 23 flags S keep state
block in quick all
block out all
With the previous ruleset, IPFilter enters the first packet of an outbound telnet connection in the
state table. When the three-way TCP handshake has been recorded by the state engine, the
connection is marked as fully established (the state is set to 4/4). The state table entry is set for
long-term data exchange until the connection ends; at that time the state changes again. You can
see the current states for entries in the state table using ipfstat. For more information, see
Section 9.1 (page 54).
The flags keyword also prevents badly formed TCP packets from entering your system. For example,
you can configure a web server (10.2.2.2) with the following ruleset:
pass in quick proto tcp from any to 10.2.2.2/32 port = 80 flags S keep state
block in quick all
block out all
With the previous ruleset, IPFilter allows in valid connection requests (TCP packets with only the
SYN flag set) for the HTTP service (TCP port 80). The keep state keywords directs IPFilter to
enter packet information in the state table to allow subsequent packets for those connections. This
rule set has two advantages:
• No badly formed TCP packets are allowed in or added to the state table.
• TCP port scan attacks that send TCP packets with inappropriate flags set will fail, such as FIN
scan attacks. In FIN scan attacks, an attacker sends TCP packets with the SYN and FIN flags
set to elicit TCP RST packets and determine the ports open on a system for connection requests.
NOTE: The keep state keyword can create state entries even if it detects packets for a
connection that are part of the middle of a connection. The only exception to this is when the rule
specifies flags S. In this case, IPFilter creates a state table entry only when a TCP packet with
the SYN flag set is sent, and TCP sends these packets only at connection establishment time.
3.5.6.2.1 Idle timeout
By default, IPFilter keeps TCP state table entries for idle, established TCP connections for 86,400
seconds (24 hours). If the connection is idle (no packets match the entry) for this time period, IPFilter
deletes the entry.
You can change the idle timeout value for TCP entries by modifying the fr_tcpidletimeout
kernel parameter. See Section C.2 (page 112) for more information.
3.5.6.3 Using keep state with UDP
You can configure IPFilter rules for UDP connections using the keep state keyword. IPFilter adds
an entry to the state table to match packets matching the filter specification in both directions. For
example:
pass out on lan0 proto udp from any to any port 33434><33690 keep state
State entry is added for incoming UDP connections. State entry is deleted from state table if any
one of following conditions is met:
24 Configuring and loading IPv4 filter rules