Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
71727374757677787980
11.2.3.1 IPFilter configuration
HP recommends that you configure IPFilter to process ICMP redirect messages as follows:
End systems
On end systems, block all inbound ICMP redirect messages without logging them. Block all
outbound ICMP redirect messages (end systems have no need to send ICMP redirect messages).
For example:
block in quick proto icmp from any to any icmp-type redir
block out quick proto icmp from any to any icmp-type redir
Routers
On IP routers, allow outbound ICMP redirect messages (type 5) to pass. For example:
pass out quick proto icmp from any to any icmp-type redir
11.2.4 PMTU discovery: ip_pmtu_strategy
The ip_pmtu_strategy parameter enables or disables path maximum transmission unit (PMTU)
discovery. When PMTU discovery is disabled, IP sends packets with the "Don't Fragment" bit
cleared. This prevents intermediate nodes from fragmenting IP packets, and IP generally selects
conservative (small) values for the MTU, which can decrease IP throughput.
If PMTU discovery is enabled (the default setting), you must configure IPFilter to allow ICMP
Destination Unreachable, Fragmentation Needed (type 3, code 4) messages.
Default valueValid valuesParameter name
10 (disable and use 576 bytes as the PMTU)
1 (enable)
2 (deprecated)
3 (disable and use the link-local MTU as the
PMTU)
ip_pmtu_strategy
11.2.4.1 IPFilter configuration
If PMTU discovery is enabled (the default setting), you must configure IPFilter to allow ICMP
Destination Unreachable, Fragmentation Needed (type 3, code 4) messages. For example:
pass in quick proto icmp from any to 10.1.1.1 icmp-type 3 code 4
If you configure IPFilter to block ICMP Fragmentation Needed messages, you must disable path
MTU discovery to ensure full connectivity to remote nodes not attached to a local link. In this case,
HP recommends that you set ip_pmtu_strategy to 3 if this value is supported on your system,
or to 0 if it is not supported. Note that for IPv4, the link-local MTU can be as low as 68 bytes.
Setting ip_pmtu_strategy to 0 or 3 can significantly decrease IP throughput.
11.2.5 ICMP echo request broadcasts: ip_respond_to_echo_broadcast
A ping message (ICMP echo request) to a broadcast address solicits responses from multiple systems
and can generate a lot of network traffic. In security-conscious environments, HP recommends that
you disable responses to broadcast echo requests.
Default ValueValid ValuesParameter Name
10 (disable)
1 (enable)
ip_respond_to_echo_broadcast
76 HP-UX IPFilter and ICMP