Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
pass out quick proto tcp from 10.1.1.1/32 to any keep state
pass out quick proto udp from 10.1.1.1/32 to any keep state
pass out quick proto icmp from 10.1.1.1/32 to any keep state
For more examples of correct uses of the keep state keyword, see Appendix B (page 121).
Allocating Memory for the State Table
The amount of memory allocated for the state table is determined by the kernel tunable parameter
fr_statemax. In most deployments, the default value is sufficient. For information about
modifying the fr_statemax value, see “fr_statemax” (page 134) .
Using Keep State with TCP
You can configure rules with the flags and keep state keyword to select packets for TCP
connections initiated in a specific direction. To do this, use the flags option to select the first
packet used to initiate a TCP connection and add the keep state keyword to select subsequent
packets for the connection. The first packet used to initiate a TCP connection has the SYN flag
set, but not the ACK flag, and in most cases have no other flags set other than the SYN flag.
For example, the following ruleset uses the flags S specification to select packets for telnet
connection requests (TCP port 23) sent from the local system (10.1.1.1). The keep state keywords
also allows subsequent TCP packets for these connections to pass. These rules allow only the
following packets:
Outbound TCP connection requests (TCP SYN flag set and no other flags set) for telnet
(port 23)
The packets used to finish establishing the TCP connections for the outbound telnet
requests
Inbound and outbound packets for the established telnet connections
pass out quick proto tcp from 10.1.1.1/32 to any port = 23 flags S keep state
block in quick all
block out all
With the previous ruleset, IPFilter enters the first packet of an outbound telnet connection in
the state table. When the three-way TCP handshake has been recorded by the state engine, the
connection is marked as fully established (the state is set to 4/4). The state table entry is set for
long-term data exchange until the connection ends; at that time the state changes again. You can
see the current states for entries in the state table using ipfstat. See “Viewing IPFilter Statistics
and Active Rules with ipfstat” (page 70) for more information.
The flags keyword also prevents badly-formed TCP packets from entering your system. For
example, you can configure a web server (10.2.2.2) with the following ruleset:
pass in quick proto tcp from any to 10.2.2.2/32 port = 80 flags S keep state
block in quick all
block out all
With the previous ruleset, IPFilter allows in valid connection requests (TCP packets with only
the SYN flag set) for the HTTP service (TCP port 80). The keep state keywords directs IPFilter
to enter packet information in the state table to allow subsequent packets for those connections.
This rule set has two advantages:
No badly-formed TCP packets are allowed in or added to the state table.
TCP port scan attacks that send TCP packets with inappropriate flags set will fail, such as
FIN scan attacks. In FIN scan attacks, an attacker sends TCP packets with the SYN and FIN
flags set to elicit TCP RST packets and determine the ports open on a system for connection
requests.
Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information 29