Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
71727374757677787980
NOTE: Note: If your topology matches the following conditions, your system may mark gateways
"down" and the system will lose connectivity to remote systems through those gateways.
The local system is an HP-UX 11i v1 system without patch PHNE_35351 or later installed, or
an HP-UX 11i v2 system without patch PHNE_35765 or later installed.
The ip_ire_gw_probe feature is enabled (ip_ire_gw_probe is set to 1).
IPFilter is configured to block ICMP echo requests and echo reply messages to or from the
gateways. This includes IPFilter configurations that block all messages from a subnet address
that matches the gateway addresses.
11.2.1.1 IPFilter configuration
When this feature is enabled, you must configure IPFilter to allow ICMP Echo Request (type 8, code
0) and Echo Reply messages (type 0, code 0) to pass to and from the gateways. In the following
example, the router addresses are 10.10.10.10 and 10.20.20.20:
pass out quick proto icmp from any to 10.10.10.10 icmp-type echo
pass in quick proto icmp from 10.10.10.10 to any icmp-type echorep
pass out quick proto icmp from any to 10.20.20.20 icmp-type echo
pass in quick proto icmp from 10.20.20.20 to any icmp-type echorep
11.2.2 ICMP source quench: ip_send_source_quench
The ip_send_source_quench parameter enables or disables the ICMP source quench feature.
If you enable this feature, the system will send ICMP source quench messages if the inbound buffer
of an upper-layer module (TCP or UDP) is full.
HP recommends that you disable this feature in security-conscious topologies. Attackers can exploit
systems that send ICMP source quench messages to discover the IP addresses of systems on a
network.
Default valueValid valuesParameter name
10 (disable)
1 (enable)
ip_send_source_quench
11.2.2.1 IPFilter configuration
If you want to use the ICMP send source quench feature, configure IPFilter to allow outbound ICMP
source quench packets (type 4). For example:
pass out quick proto icmp from any to any icmp-type 4
11.2.3 ICMP redirects: ip_send_redirects
The ip_send_redirects parameter enables or disables ICMP redirect transmissions. ICMP
redirects are generally used by hosts to communicate alternate or optimal routes. If a forged ICMP
redirect message is processed by a host, the routing table can be compromised and it may route
subsequent traffic through an unsafe route. A forged ICMP redirect message can also cause a
Denial of Service (DoS) attack by redirecting packets to nonexistent routers.
This feature is useful only on systems that are IP routers. If the local system is not an IP router, HP
recommends that you disable this feature.
Default valueValid valuesParameter name
10 (disable)
1 (enable)
ip_send_redirects
11.2 Configuring ICMPv4 kernel parameters 75