Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
block in all with ipopts
with frag and with short: Selecting Fragmented IP Packets
The with frag and with short keywords enable you to select IP packet fragments and short
IP packets.
with frag: Selecting IP Packet Fragments
The with frag keyword selects IP packet fragments (IP packets with a non-zero fragment
offset). If you do not want IPFilter to pass IP packet fragments, specify the block action and the
with frag keywords. For example:
block in all with frag
with short: Selecting Short Fragments
You can configure IPFilter to drop packet fragments that are too short for comparison using the
with short keyword. This is useful for security purposes, because an attacker can use fragments
to attempt to access the system. For example:
block in all with short
icmp-type and code: Filtering ICMP Traffic by Type and Code
You can filter specific types of ICMP traffic using the icmp-type and icmp-code keywords.
These keywords are useful if you want to block most ICMP traffic to prevent Denial of Service
(DoS) attacks, but must allow certain types of ICMP messages in and out of your system. These
keywords are also useful when you want to block traffic from blocks of addresses but want to
allow in ICMP packets required for normal network operation. See Chapter 10 (page 91) for
more information.
keep state: Protecting TCP, UDP, and ICMP Sessions
Use keep state to select individual TCP, UDP, and ICMP sessions that exchange multiple
packets. This enables you to use a rule to select the first packet in a session and then apply the
same rule for all other packets in the session. For example, you can use the keep state option
to allow bidirectional packets for a session that originates from the local system while blocking
similar packets for session requests from remote systems. The keep state option also enables
IPFilter to distinguish legitimate traffic from port scan attacks and Denial of Service (DoS) attacks.
When a packet matches a rule with the keep state option, IPFilter creates an entry in its state
table with the source and destination IP addresses and protocol. If the protocol is TCP or UDP,
the entry also contains the source and destination port numbers. The entry is bidirectional and
IPFilter checks both inbound and outbound packets against the state table, so you do not need
to configure rules for the other inbound and outbound packets that match these parameters.
You can use keep state to limit the number of rules you must configure. Use keep state
to pass or block the first packet in a TCP, UDP, or ICMP session. If the protocol is TCP, you can
specify flags S to match to first packet in a TCP session (a TCP packet with only the SYN flag
set).
For example, you can use the keep state keyword with IPFilter rules to protect an SSH server:
pass in quick proto tcp from any to 10.1.1.1/32 port = 22 flags S keep state
block out all
The keep state keyword causes IPFilter to create an entry in the state table after the first SYN
packet (flags S) received by the SSH server. The entry specifies the IP addresses, protocol, and
port numbers for the session. IPFilter will not check subsequent inbound or outbound packets
matching the state table entry against the IPFilter ruleset. This enables outbound responses for
the SSH session to pass, despite the block out all rule.
The following rules show keep state rules for TCP, UDP, and ICMP:
28 Configuring and Loading IPv4 Filter Rules