Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
919293949596979899100
pass out quick proto icmp from any to any icmp-type 4
ICMP Redirects (ip_send_redirects)
The ip_send_redirects parameter enables or disables ICMP redirect transmissions. ICMP
redirects are generally used by hosts to communicate alternate or optimal routes. If a forged
ICMP redirect message is processed by a host, its routing table can be compromised and it may
route subsequent traffic through an unsafe route. A forged ICMP redirect message can also cause
a Denial of Service (DoS) attack by redirecting packets to nonexistent routers.
This feature is useful only on systems that are IP routers. If the local system is not an IP router,
HP recommends that you disable this feature.
Default ValueValid ValuesParameter Name
10 (disable)
1 (enable)
ip_send_redirects
IPFilter Configuration
HP recommends that you configure IPFilter to process ICMP redirect messages as follows:
End systems
On end systems, block all inbound ICMP redirect messages without logging them. Block all
outbound ICMP redirect messages (end systems have no need to send ICMP redirect
messages). For example:
block in quick proto icmp from any to any icmp-type redir
block out quick proto icmp from any to any icmp-type redir
Routers
On IP routers, allow outbound ICMP redirect messages (type 5) to pass. For example:
pass out quick proto icmp from any to any icmp-type redir
PMTU Discovery (ip_pmtu_strategy)
The ip_pmtu_strategy parameter enables or disables path maximum transmission unit
(PMTU) discovery. When PMTU discovery is disabled, IP sends packets with the "Don't Fragment"
bit cleared. This prevents intermediate nodes from fragmenting IP packets, and IP generally
selects conservative (small) values for the MTU, which can decrease IP throughput.
If PMTU discovery is enabled (the default setting), you must configure IPFilter to allow ICMP
Destination Unreachable, Fragmentation Needed (type 3, code 4) messages.
Default ValueValid ValuesParameter Name
10 (disable and use 576 bytes as the PMTU)
1 (enable)
2 (deprecated)
3 (disable and use the link-local MTU as the
PMTU)
ip_pmtu_strategy
IPFilter Configuration
If PMTU discovery is enabled (the default setting), you must configure IPFilter to allow ICMP
Destination Unreachable, Fragmentation Needed (type 3, code 4) messages. For example:
pass in quick proto icmp from any to 10.1.1.1 icmp-type 3 code 4
If you configure IPFilter to block ICMP Fragmentation Needed messages, you must disable path
MTU discovery to ensure full connectivity to remote nodes not attached to a local link. In this
98 HP-UX IPFilter and ICMP