Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
rdr
The rdr keyword redirects and translates destination addresses and port numbers for inbound
packets.
bimap
The bimap keyword translates addresses and port numbers for inbound and outbound packets.
age
The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP
is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout.
NOTE: This feature is available only on HP-UX 11i v3.
NOTE: The maximum number of concurrent NAT connections IPFilter supports is 16,383.
6.2.1 Rule examples
To pass outbound ICMP echo requests and keep state entry for 30 seconds until it receives ICMP
reply:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state age 30
To keep UDP state entry for 40 seconds until it receives UDP reply back:
pass out on lan0 proto udp from any to any port 33434><33690 keep state age 40
To keep TCP state entry for 60 seconds after connection has been closed:
IMPORTANT: Use age in TCP rule only in case of a DOS-type attack (ACK flood and so forth)
because it modifies the timeout value of TIME_WAIT state in the TCP state table which can cause
duplicate Initial Sequence Numbers (ISN).
pass out on lan0 proto tcp from any to any port 33434><33690 keep state age 60
6.3 Mapping outbound packets: map and portmap
The map keyword rewrites or translates source addresses for outbound packets. When used with
the portmap keyword, map also translates UDP or TCP port numbers. When an outbound packet
matches the selectors in a map rule, IPFilter rewrites the source IP address with the specified target
IP address. IPFilter also creates an entry in the map table, and verifies this map table for both
inbound and outbound packets. Verifying the map table for inbound packets enables IPFilter to
remap and reroute the corresponding inbound packets correctly to the original IP address.
To map IP addresses, use the following syntax:
map interface_name source_ip -> target_ip
where:
interface_name is the name of the network interface used to transmit the packets. For example,
lan1.
source_ip is the source IP address. This can a subnet address or 0/0 to match any address.
target_ip is the target IP address. IPFilter translates the source IP address to the target IP address.
This is usually the IP address assigned to the interface. If the interface has a dynamically assigned
address, specify 0/32, and IPFilter will use the currently assigned interface address as the target
IP address.
6.3.1 Examples
The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the
address 20.20.20.1 and transmits the packets using the lan0 interface:
6.3 Mapping outbound packets: map and portmap 43