Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
Sending Responses for Blocked TCP and UDP Packets
When you use the block keyword, IPFilter drops the blocked packet and no response is sent to
the remote system that sent the packet. This can be a security risk, because it might alert an
attacker that a packet filter is running on the system. You can use the return-rst and
return-icmp-as-dest keywords to send appropriate responses to blocked packets.
return-rst: Responding to Blocked TCP Packets
When TCP receives a packet for a TCP port that is not open or a packet that is inappropriate for
the TCP state, TCP normally sends a Reset (RST) packet. The return-rst keyword directs
IPFilter to return an RST packet to the sender. The return-rst keyword is valid in the following
rules:
Rules that block inbound packets (block in rules).
Dynamic Connection Allocation (DCA) rules (keep limit rules), as shown in “DCA Rule
Syntax and Keywords” (page 49).
To use the return-rst keyword in a rule that blocks inbound packets, insert the return-rst
keyword after the block keyword. For example, the following rule blocks inbound telnet
requests and generates a TCP RST packet:
block return-rst in quick on lan0 proto tcp from any to 10.10.10.0/24 port = 23
When you configure a return-rst rule, HP recommends that you also configure a rule that
explicitly allows the outbound RST packet to pass. For example:
block return-rst in quick on lan0 proto tcp from any to 10.10.10.0/24 port = 23
pass out quick on lan0 proto tcp from any port = 23 to any flags R/RSFUP
return-icmp-as-dest: Responding to Blocked UDP Packets
The return-icmp-as-dest keyword directs IPFilter to send an ICMP response. Specifying
return-icmp-as-dest(port-unr) directs IPFilter to send an ICMP message with type
destination unreachable and code port unreachable (port-unr). This ICMP message
is the normal system response for packets sent to UDP ports that are not in use. Insert the
return-icmp-as-dest(port-unr) keyword after block. For example:
block return-icmp-as-dest(port-unr) in quick proto udp from any to 20.20.20.0/24 port = 53
The return-icmp-as-dest directs IPFilter to send an ICMP response that uses the original
destination address (the destination address of the incoming packet that triggered the response)
as the source address instead of the local system's address. This prevents attackers from
determining that you are using the local system as a packet filter. IPFilter also supports the
return-icmp keyword, which causes IPFilter to send the return ICMP packet with the IP
address of the local system (the address of the interface used to transmit the response), but HP
recommends that you use the return-icmp-as-dest keyword instead.
36 Configuring and Loading IPv4 Filter Rules