Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
State entry is added for incoming UDP connections. State entry is deleted from state table if any
one of following conditions is met:
UDP reply matches to the state entry created as part of corresponding UDP request
UDP entry has been idle for default timeout period
If age option has been specified as part of keep state rule and UDP entry has been idle for
the timeout period defined as part of age option. For more information on the age option,
see Section Page 25.
Idle timeout
If a UDP state table entry is idle (no packets match the entry) for 120 seconds, IPFilter deletes the
entry.
Using keep state with ICMP
For some ICMP messages, the ICMP protocol defines a request and a corresponding reply message.
For example, the ICMP echo request (ICMP type 8) message (sent by the ping utility) has a
corresponding ICMP echo reply (ICMP type 0) message. You can configure a rule to pass outbound
ICMP echo requests and to pass in the subsequent ICMP echo replies. For example:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state
NOTE: To configure rules to keep state on any outbound ICMP messages that might receive a
reply ICMP message, you must specify both the proto icmp and the keep state options.
To prevent an attacker from sending ICMP messages through your firewall when an active connection
is known to be in your state table, verify the incoming ICMP packet type and code, if applicable,
in addition to the source and destination addresses (and ports, if applicable).
State entry is added for incoming ICMP connections. State entry is deleted from state table if any
one of following conditions is met:
The ICMP reply matches to the state entry created as part of corresponding ICMP request
The ICMP entry has been idle for default timeout period
If the age option has been specified as part of keep state rule and the ICMP entry has been
idle for the timeout period defined as part of age option. For more information on the age
option, see Section Page 25.
Idle timeout
If an ICMP state table entry is idle (no packets match the entry) for 60 seconds, IPFilter deletes the
entry.
ICMP error status messages
If TCP or UDP generates an ICMP error status message for a packet that matches an active state
table entry IPFilter applies the rule for the TCP or UDP rule to the ICMP packet. For example:
pass out on lan0 proto udp from any to any port 33434><33690 keep state
If UDP generates an ICMP error status message (such as icmp-type 3 code 3 port
unreachable or icmp- type 11 time exceeded) for this UDP session, IPFilter applies the
rule to the ICMP packet and allow it to pass.
State aging
The system-defined state entry timeout values are:
ICMP—60 seconds
UDP—120 seconds
TCP—120 seconds
Protocol options: TCP flags, IP options and fragments, ICMP types and state information 25