HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

ICMP error status messages.......................................................................................25

State aging.......................................................................................................................25

Rule examples...............................................................................................................26

Handling IP fragments: keep frags........................................................................................26

Sending responses for blocked TCP and UDP packets..................................................................26

Responding to blocked TCP packets: return-rst........................................................................26

Responding to blocked UDP packets: return-icmp-as-dest.........................................................27

Improving performance with rule groups ...................................................................................27

Loading IPv4 filter rules...........................................................................................................28

Verifying IPv4 filter rules......................................................................................................29

Removing IPFilter rules........................................................................................................29

Rule tags...............................................................................................................................29

Log tags...........................................................................................................................29

NAT tags..........................................................................................................................30

4 Configuring and loading IPv6 filter rules......................................................31

IPv6 filter rules configuration file...............................................................................................31

Features not supported with IPv6...............................................................................................31

IPv6 filter rule syntax differences...............................................................................................31

Specifying addresses..........................................................................................................31

Filtering ICMPv6 packets.....................................................................................................32

Stateful ICMPv6............................................................................................................32

IPv6 extension headers.......................................................................................................32

Filtering tunneled packets....................................................................................................32

Filtering IPv6 fragments.......................................................................................................33

Sending ICMPv6 responses.................................................................................................33

Loading IPv6 filter rules...........................................................................................................33

Verifying IPv6 filter rules......................................................................................................33

5 Configuring and loading dynamic connection allocation (DCA) rules..............34

DCA with HP-UX IPFilter...........................................................................................................34

DCA functionality overview.................................................................................................34

Using DCA...................................................................................................................34

DCA rules configuration files....................................................................................................34

DCA rule syntax and keywords.................................................................................................35

DCA rule conditions...........................................................................................................35

Limiting connections: keep limit................................................................................................35

Limiting connections by IP address.......................................................................................35

Limiting connections by subnet.............................................................................................36

Limiting connections by IP address range..............................................................................36

Default individual connection limits.......................................................................................36

Returning RESET packets: return-rst............................................................................................36

Limiting cumulative connections: cumulative................................................................................36

Logging exceeded connections: log limit and log limit freq...........................................................36

Alert log ..........................................................................................................................37

Summary log....................................................................................................................38

Loading and modifying DCA rules............................................................................................39

Updating keep limit rules....................................................................................................40

Changing the current individual, subnet, or IP address range rule........................................40

Updating a subnet or IP address range rule......................................................................40

Adding new keep limit rules................................................................................................41

Adding a new individual keep limit rule...........................................................................41

Adding a new subnet or IP address range rule..................................................................41

Integrating keep limit rules..................................................................................................41

Extracting an individual rule from a subnet rule......................................................................41

Enabling and disabling DCA...................................................................................................41

4 Contents