Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
are also useful when you want to block traffic from blocks of addresses but want to allow in ICMP
packets required for normal network operation. For more information, see Chapter 11 (page 78).
Protecting TCP, UDP, and ICMP sessions: keep state
Use keep state to select individual TCP, UDP, and ICMP sessions that exchange multiple packets.
This option enables you to use a rule to select the first packet in a session and then apply the same
rule for all other packets in the session. For example, you can use the keep state option to allow
bidirectional packets for a session that originates from the local system while blocking similar
packets for session requests from remote systems. The keep state option also enables IPFilter
to distinguish legitimate traffic from port scan attacks and Denial of Service (DoS) attacks.
When a packet matches a rule with the keep state option, IPFilter creates an entry in the state
table with the source and destination IP addresses and protocol. If the protocol is TCP or UDP, the
entry also contains the source and destination port numbers. The entry is bidirectional and IPFilter
verifies both inbound and outbound packets against the state table, so you do not have to configure
rules for the other inbound and outbound packets that match these parameters.
NOTE: Keep state is supported for rules whose filter action is to "pass" and not "block" the
packet. This ensures that state table entry do not get exhausted by malicious packets.
You can use keep state to limit the number of rules you must configure. Use keep state to
pass the first packet in a TCP, UDP, or ICMP session. If the protocol is TCP, you can specify flags
S to match to first packet in a TCP session (a TCP packet with only the SYN flag set).
For example, you can use the keep state keyword with IPFilter rules to protect an SSH server:
pass in quick proto tcp from any to 10.1.1.1/32 port = 22 flags S keep state
block out all
The keep state keyword causes IPFilter to create an entry in the state table after the first SYN
packet (flags S) received by the SSH server. The entry specifies the IP addresses, protocol, and
port numbers for the session. IPFilter will not verify subsequent inbound or outbound packets
matching the state table entry against the IPFilter ruleset. This enables outbound responses for the
SSH session to pass, despite the block out all rule.
The following rules show keep state rules for TCP, UDP, and ICMP:
pass out quick proto tcp from 10.1.1.1/32 to any keep state
pass out quick proto udp from 10.1.1.1/32 to any keep state
pass out quick proto icmp from 10.1.1.1/32 to any keep state
For more examples of correct uses of the keep state keyword, see Appendix B (page 106).
Allocating memory for the state table
The amount of memory allocated for the state table is determined by the kernel tunable parameter
fr_statemax. In most deployments, the default value is sufficient. For information about modifying
the fr_statemax value, see Section (page 118) .
Using keep state with TCP
You can configure rules with the flags and keep state keywords to select packets for TCP
connections initiated in a specific direction. To do this, use the flags option to select the first
packet used to initiate a TCP connection and add the keep state keyword to select subsequent
packets for the connection. The first packet, which is used to initiate a TCP connection, has the
SYN flag set, but not the ACK flag, and in most cases has no other flags set other than the SYN
flag.
For example, the following ruleset uses the flags S specification to select packets for telnet
connection requests (TCP port 23) sent from the local system (10.1.1.1). The keep state keywords
Protocol options: TCP flags, IP options and fragments, ICMP types and state information 23