HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

If you omit /flags_checked, IPFilter checks all the TCP flags in the packet, so specifying

flags S is equivalent to specifying flags S/AFPRSU, and matches TCP packets that have the

SYN flag set and no other flags set.

To accommodate applications or user protocols that also set the URG or PSH flags when initiating

TCP connections, you can specify flags S/SAFR to allow SYN, SYN URG, or SYN PSH packets

but not allow SYN ACK packets. However, it is more secure to specify flags S (or flags

S/AFPRSU) when specifying flags S/SAFR or flags S/SA is not required.

The flags keyword is typically used with the keep state feature, as described in “Using

Keep State with TCP” (page 33).

with opt and ipopts: Specifying IP Options

IPFilter can filter packets based on IP options using the with opt and with ipopts keywords.

Use the with opt keywords to filter packets with one or more IP options as follows:

with opt option[,option]

where option is one of the following abbreviations for an IP option:

addext (Address Extension)

cipso (Commercial Security)

e-sec (Extended Security)

eip (Extended Internet Protocol)

encode (Encode)

finn (Flow Control - experimental)

imitd (IMI Traffic Descriptor)

lsrr (Loose Source Route, or Loose Source Record Route)

mtup (MTU Probe - decremented)

mtur (MTU Response - decremented)

nop (No Operation)

rr (Record Route)

satid (Stream ID)

sec (Security)

ssrr (Strict Source Route, or Strict Source Record Route)

tr (Traceroute)

ts (Time Stamp)

visa (Access Control - experimental)

zsu (Measurement - experimental)

The IANA list of assigned IP option numbers specifies the numeric values for the IP options and

lists the documents that define these options. This list is available at the following URL:

http://www.iana.org/assignments/ip-parameters

For example, the following rule blocks all IP packets with the Loose Source Record Route (LSRR)

or Strict Source and Record Route (SSRR) option set:

block in quick all with opt lsrr, ssrr

not opt: Specifying Options Not Set

You can also configure rules to pass or block packets that do not have a specific option set:

with [opt option] not opt option

For example:

pass in from any to any with opt ssrr not opt lsrr

ipopts: Specifying Any IP Options

Use the keywords with ipopts to select packets with any IP options set or with not ipopts

to select packets that have no IP options set. For example:

Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information 31