Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
919293949596979899100
10 HP-UX IPFilter and ICMP
This chapter describes how to use HP-UX IPFilter to filter ICMP (ICMPv4) and ICMPv6 Packets.
It also describes how to configure ICMP kernel parameters for optimal security.
This chapter contains the following sections:
“Filtering ICMPv4 Packets by Type and Code (icmp-type and code)” (page 95)
“Configuring ICMPv4 Kernel Parameters” (page 96)
“Filtering ICMPv6 Packets by Type and Code (icmpv6–type and code)” (page 100)
“Controlling ICMPv6 Router Discovery and Neighbor Discovery Messages” (page 101)
Filtering ICMPv4 Packets by Type and Code (icmp-type and code)
You can filter specific types of ICMPv4 (ICMP) traffic using the icmp-type and code keywords.
These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service
(DoS) attacks, but must allow certain types of ICMP messages in and out of your system.
You must specify proto icmp to use the icmp-type and code keywords. A simplified rule
syntax is as follows:
block|pass in|out [processing_options] proto icmp ip_selector icmp-type
type [code code_value]
where:
processing_options is one or more processing options, such as quick. See “Processing
Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces” (page 28).
ip_selector is the IP address specification, as defined in “Basic Rule Syntax: Specifying the
Action, Direction, Protocol, IP Addresses, and Ports” (page 25).
type is the ICMP type, either the name listed in Table 10-1, or the decimal value.
code_value is the decimal value for the ICMP code.
For example, if you want to specifically allow echo replies (ping replies) into your system,
configure the following rule:
pass in quick proto icmp from any to any icmp-type 0 code 0
Table 10-1 ICMP Type and Codes
Meaningicmp-type
icmp-code
CodeType
ECHO REPLY (ping reply) [RFC792]echorep00
DESTINATION UNREACHABLEunreach3
network unreachablenet-unr0
host unreachablehost-unr1
protocol unreachableproto-unr2
port unreachable [RFC792]port-unr3
need fragmentation [RFC792]needfrag4
source route failed [RFC792]srcfail5
destination network unknownnet-unk6
destination host unknownhost-unk7
source host isolated [RFC792] (ping)isolate8
Filtering ICMPv4 Packets by Type and Code (icmp-type and code) 95