Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
You can override the TCP default value when the connection is closed by using the
fr_tcptimewait tunable or by using the age option on a per-rule basis. The value specified in
the rule gets priority over the tunable value set at system level.
The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP is
supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout.
NOTE: This option is available only on HP-UX 11i v3.
3.5.7.1 Rule examples
To pass outbound ICMP echo requests and keep state entry for 30 seconds until it receives ICMP
reply:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state age 30
To keep UDP state entry for 40 seconds until it receives UDP reply back:
pass out on lan0 proto udp from any to any port 33434><33690 keep state age 40
IMPORTANT: Use age in TCP rule only in case of a DOS-type attack (ACK flood and so forth)
because it modifies the timeout value of TIME_WAIT state in the TCP state table which can cause
duplicate Initial Sequence Numbers (ISN).
To keep TCP state entry for 60 seconds after connection has been closed:
pass out on lan0 proto tcp from any to any port 33434><33690 keep state age 60
3.5.8 Handling IP fragments: keep frags
You can configure IPFilter to keep information about IP packets and to select subsequent IP packet
fragments. The keep frags keyword lets you configure IPFilter to pass fragmented packets while
blocking packets that might be forgeries or port scans trying to attack the system.
The keep frags option is valid only when used with the keep state option.
In the following example, the first two rules define the valid packets that are allowed to pass. The
keep state and keep frags keywords enable related IP fragments for those packets to pass.
The third and fourth block and log all other packets.
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port = 23 flags S keep state keep frags
pass out quick on lan0 proto tcp from any to any keep state flags S keep frags
block in log quick all
block out log quick all
In this example, every valid packet is entered into the state table before the blocking rules are
processed. To further protect the system, log initial SYN packets to detect SYN scans.
3.6 Sending responses for blocked TCP and UDP packets
When you use the block keyword, IPFilter drops the blocked packet and no response is sent to
the remote system that sent the packet. This occurrence can be a security risk, because it might
alert an attacker that a packet filter is running on the system. You can use the return-rst and
return-icmp-as-dest keywords to send appropriate responses to blocked packets.
3.6.1 Responding to blocked TCP packets: return-rst
When TCP receives a packet for a TCP port that is not open or a packet that is inappropriate for
the TCP state, TCP normally sends a Reset (RST) packet. The return-rst keyword directs IPFilter
to return an RST packet to the sender. The return-rst keyword is valid in the following rules:
Rules that block inbound packets (block in rules).
Dynamic Connection Allocation (DCA) rules (keep limit rules), as shown in Section 5.3
(page 35).
26 Configuring and loading IPv4 filter rules