Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
lsrr (Loose Source Route, or Loose Source Record Route)
mtup (MTU Probe - decremented)
mtur (MTU Response - decremented)
nop (No Operation)
rr (Record Route)
satid (Stream ID)
sec (Security)
ssrr (Strict Source Route, or Strict Source Record Route)
tr (Traceroute)
ts (Time Stamp)
visa (Access Control - experimental)
zsu (Measurement - experimental)
The IANA list of assigned IP option numbers specifies the numeric values for the IP options and
lists the documents that define these options. This list is available on the IANA website:
http://www.iana.org/assignments/ip-parameters
For example, the following rule blocks all IP packets with the Loose Source Record Route (LSRR) or
Strict Source and Record Route (SSRR) option set:
block in quick all with opt lsrr, ssrr
Specifying options not set: not opt
You can also configure rules to pass or block packets that do not have a specific option set:
with [opt option] not opt option
For example:
pass in from any to any with opt ssrr not opt lsrr
Specifying any IP options: ipopts
Use the keywords with ipopts to select packets with any IP options set or with not ipopts
to select packets that have no IP options set. For example:
block in all with ipopts
Selecting fragmented IP packets: with frag and with short
The with frag and with short keywords enable you to select IP packet fragments and short
IP packets.
Selecting IP packet fragments: with frag
The with frag keyword selects IP packet fragments (IP packets with a non-zero fragment offset).
If you do not want IPFilter to pass IP packet fragments, specify the block action and the with
frag keywords. For example:
block in all with frag
Selecting short fragments: with short
You can configure IPFilter to drop packet fragments that are too short for comparison using the
with short keyword. This is useful for security purposes, because an attacker can use fragments
to attempt to access the system. For example:
block in all with short
Filtering ICMP traffic by type and code: icmp-type and code
You can filter specific types of ICMP traffic using the icmp-type and icmp-code keywords.
These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service (DoS)
attacks, but must allow certain types of ICMP messages in and out of your system. These keywords
22 Configuring and loading IPv4 filter rules