HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3
11 HP-UX IPFilter and ICMP
11.1 Filtering ICMPv4 packets by type and code: icmp-type and code
You can filter specific types of ICMPv4 (ICMP) traffic using the icmp-type and code keywords.
These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service (DoS)
attacks, but must allow certain types of ICMP messages in and out of your system.
You must specify proto icmp to use the icmp-type and code keywords. A simplified rule
syntax is as follows:
block|pass in|out [processing_options] proto icmp ip_selector icmp-type
type [code code_value]
where:
processing_options is one or more processing options, such as quick. See Section 3.4
(page 19).
ip_selector is the IP address specification, as defined in Section 3.2 (page 16).
type is the ICMP type, either the name listed in Table 2 (page 73), or the decimal value.
code_value is the decimal value for the ICMP code.
For example, if you want to specifically allow echo replies (ping replies) into your system, configure
the following rule:
pass in quick proto icmp from any to any icmp-type 0 code 0
Table 2 ICMP type and codes
Meaningicmp-type
icmp-code
CodeType
ECHO REPLY (ping reply) [RFC792]echorep00
DESTINATION UNREACHABLEunreach3
network unreachablenet-unr0
host unreachablehost-unr1
protocol unreachableproto-unr2
port unreachable [RFC792]port-unr3
need fragmentation [RFC792]needfrag4
source route failed [RFC792]srcfail5
destination network unknownnet-unk6
destination host unknownhost-unk7
source host isolated [RFC792] (ping)isolate8
destination network administratively prohibited [RFC1256]net-prohib9
destination host administratively prohibited [RFC1256]host-prohib10
network unreachable for TOS [RFC792]net-tos11
host unreachable for TOS [RFC792]host-tos12
prohibited by filtering [RFC1812]filter-prohib13
host precedence violation [RFC1812]host-preced14
precendence cutoff in effect [RFC1812]cutoff-preced15
11.1 Filtering ICMPv4 packets by type and code: icmp-type and code 73