Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
keep frags: Handling IP Fragments
You can configure IPFilter to keep information about IP packets and to select subsequent IP
packet fragments. The keep frags keyword lets you configure IPFilter to pass fragmented
packets while blocking packets that might be forgeries or port scans trying to attack the system.
The keep frags option is valid only when used with the keep state option.
In the following example, the first two rules define the valid packets that are allowed to pass.
The keep state and keep frags keywords enable related IP fragments for those packets to
pass. The third and fourth block and log all other packets.
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port = 23 flags S keep state keep frags
pass out quick on lan0 proto tcp from any to any keep state flags S keep frags
block in log quick all
block out log quick all
In this example, every valid packet is entered into the state table before the blocking rules are
processed. To further protect the system, log initial SYN packets to detect SYN scans.
Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information 35