HP-UX IPFilter Version 17 Administrator's Guide
Table 11-1 ICMP Type and Codes (continued)
Meaningicmp-type
icmp-code
CodeType
destination network administratively prohibited [RFC1256]net-prohib9
destination host administratively prohibited [RFC1256]host-prohib10
network unreachable for TOS [RFC792]net-tos11
host unreachable for TOS [RFC792]host-tos12
prohibited by filtering [RFC1812]filter-prohib13
host precedence violation [RFC1812]host-preced14
precendence cutoff in effect [RFC1812]cutoff-preced15
SOURCE QUENCHsquench04
REDIRECTredir5
network
host
network & TOS
host & TOS
ECHO REQUEST (ping request)echo08
ROUTER ADVERTISEMENTrouterad0
ROUTER SOLICITATIONroutesol0
TIME EXCEEDEDtimex11
TTL=0 during transmit
TTL=0 during reassembly
PARAMETER PROBLEMparamprob12
TIMESTAMP REQUESTtimest013
TIMESTAMP REPLYtimestrep014
INFO REQUEST (obsolete)inforeq015
INFO REPLY (obsolete)inforep016
ADDRESS MASK REQUESTmaskreq017
ADDRESS MASK REPLYmaskrep018
The ICMP code names are valid with the return-icmp and return-icmp-as-dest keywords,
which send ICMP responses to blocked packets. See “return-icmp-as-dest: Responding to Blocked
UDP Packets” (page 39) for an example.
11.2 Configuring ICMPv4 Kernel Parameters
Historically, ICMPv4 (ICMP) messages have been exploited and used in Denial of Service (DoS)
attacks. This section describes how to optimize ICMP security by configuring ndd (system
network) parameters for ICMP features and by configuring associated IPFilter rules. This section
contains information about the following ICMP features:
• “Dead Gateway Detection (ip_ire_gw_probe)” (page 103)
• “ICMP Source Quench (ip_send_source_quench)” (page 103)
102 HP-UX IPFilter and ICMP