Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and
State Information
IPFilter supports options to filter packets based on the following protocol information:
TCP flags (flags)
IP options (with opt and with ipopt)
IP fragments (with frag and with short)
ICMP type and codes (icmp-type and code)
State information (keep state)
IP fragments (keep frags)
Option Order
If you specify protocol options, you must insert them after the ip_selector:
block|pass in|out [processing_options] [proto protocol] ip_selector
[protocol_options]
The ip_selector is the from...to IP address and port number specification or the keyword
all, as defined in “Basic Rule Syntax: Specifying the Action, Direction, Protocol, IP Addresses,
and Ports” (page 25).
If you specify more than one processing option, you must specify them in the order listed below:
1. flags
2. with opt and with ipopt
3. with frag and with short
4. icmp-type and code
5. keep state
6. keep frags
In the following example, the user specifies the flags option and the keep option, and specifies
them in that order:
pass in quick proto tcp from any to 10.1.1.1 flags S keep state
flags: Specifying TCP Header Flags
Use the flags option to filter traffic by flags (control bits) in the TCP header. To specify the
flags option, you must also specify proto tcp. The syntax for the flags option is as follows:
flags flags[/flags_checked]
where flags are the TCP flags that must be set to match the filter and flags_checked are the
TCP flags checked. The values for flags and flags_checked are sequences of characters,
where each character is the initial character of a TCP flag name:
A (ACK - Acknowledgement)
F (FIN - No more data)
P (PUSH - Push function)
R (RST - Reset the connection)
S (SYN - Sychronize sequence numbers)
U (URG - Urgent)
See RFC 793, Transmission Control Protocol Specification for descriptions of TCP flags.
Flags specified in the flags_checked sequence but not in the flags sequence must be clear
to match the filter. For example, the specification
flags S/SA
matches packets with the SYN flag set and the ACK flag cleared, but does not match packets
with both the SYN flag and the ACK flag set.
30 Configuring and Loading IPv4 Filter Rules