HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)
To use the return-rst keyword in a rule that blocks inbound packets, insert the return-rst keyword
after the block keyword. For example, the following rule blocks inbound telnet requests and
generates a TCP RST packet:
block return-rst in quick on lan0 proto tcp from any to 10.10.10.0/24 port = 23
When you configure a return-rst rule, HP recommends that you also configure a rule that
explicitly allows the outbound RST packet to pass. For example:
block return-rst in quick on lan0 proto tcp from any to 10.10.10.0/24 port = 23
pass out quick on lan0 proto tcp from any port = 23 to any flags R/RSFUP
Responding to blocked UDP packets: return-icmp-as-dest
The return-icmp-as-dest keyword directs IPFilter to send an ICMP response. Specifying
return-icmp-as-dest(port-unr) directs IPFilter to send an ICMP message with type
destination unreachable and code port unreachable (port-unr). This ICMP message
is the normal system response for packets sent to UDP ports that are not in use. Insert the
return-icmp-as-dest(port-unr) keyword after block. For example:
block return-icmp-as-dest(port-unr) in quick proto udp from any to 20.20.20.0/24 port = 53
The return-icmp-as-dest directs IPFilter to send an ICMP response that uses the original
destination address (the destination address of the incoming packet that triggered the response)
as the source address instead of the local system's address. This prevents attackers from determining
that you are using the local system as a packet filter. IPFilter also supports the return-icmp
keyword, which causes IPFilter to send the return ICMP packet with the IP address of the local
system (the address of the interface used to transmit the response), but HP recommends that you
use the return-icmp-as-dest keyword instead.
Improving performance with rule groups
Rule groups enable you to write your ruleset in a tree structure, instead of as a linear list, so if an
incoming packet is unrelated to a set of rules, those rules are not processed. This feature reduces
IPFilter processing time on each packet and improves IPFilter system performance.
The following is a simple rule group example:
block out quick on lan1 all head 10
pass out quick proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10
block out on lan2 all
In this example, if a packet is not going to be transmitted using lan1, then the head of rule group
10 does not match; IPFilter does not process any of the rules in group 10. Rules processing
continues at the root level (group 0). If a packet is going to be transmitted using lan1, the quick
keyword stops further processing at the group 0 level. IPFilter then evaluates all rules in group
10 against the packet.
Rule groups can be used to break up a complex firewall ruleset. For example, there are three
interfaces in the firewall with interfaces lan0, lan1, and lan2.
• lan0 is connected to external network 20.20.20.0/26.
• lan1 is connected to DMZ network 20.20.20.64/26.
• lan2 is connected to protected network 20.20.20.128/25.
A complete ruleset for this situation is complex and significantly slows user connections to the
network. To prevent this, a ruleset is created with rule groups:
block in quick on lan0 all head 1
block in quick on lan0 from 192.168.0.0/16 to any group 1
block in quick on lan0 from 172.16.0.0/12 to any group 1
block in quick on lan0 from 10.0.0.0/8 to any group 1
block in quick on lan0 from 127.0.0.0/8 to any group 1
block in log quick on lan0 from 20.20.20.0/24 to any group 1
block in log quick on lan0 from any to 20.20.20.0/32 group 1
block in log quick on lan0 from any to 20.20.20.63/32 group 1
block in log quick on lan0 from any to 20.20.20.64/32 group 1
block in log quick on lan0 from any to 20.20.20.127/32 group 1
block in log quick on lan0 from any to 20.20.20.128/32 group 1
block in log quick on lan0 from any to 20.20.20.255/32 group 1
Improving performance with rule groups 27