HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

101

102

103

104

105

106

107

108

109

110

• “ICMP Redirects (ip_send_redirects)” (page 104)

• “PMTU Discovery (ip_pmtu_strategy)” (page 104)

• “ICMP Echo Request Broadcasts (ip_respond_to_echo_broadcast)” (page 105)

This section also describes how to use ndd to set the ICMP parameter values (“Using ndd to

Configure ICMPv4 Kernel Parameters” (page 105)).

11.2.1 Dead Gateway Detection (ip_ire_gw_probe)

The ip_ire_gw_probe parameter enables or disables dead (non-operational) gateway detection.

This feature is useful in topologies with redundant gateways. If you do not have redundant

gateways, HP recommends that you disable this feature. By default, this feature is enabled.

Default ValueValid ValuesParameter Name

10 (disable)

1 (enable)

ip_ire_gw_probe

NOTE: Note: If your topology matches the following conditions, your system may mark

gateways "down" and the system will lose connectivity to remote systems through those gateways.

• The local system is an HP-UX 11i v1 system without patch PHNE_35351 or later installed,

or an HP-UX 11i v2 system without patch PHNE_35765 or later installed.

• The ip_ire_gw_probe feature is enabled (ip_ire_gw_probe is set to 1).

• IPFilter is configured to block ICMP echo requests and echo reply messages to or from the

gateways. This includes IPFilter configurations that block all messages from a subnet address

that matches the gateway addresses.

11.2.1.1 IPFilter Configuration

When this feature is enabled, you must configure IPFilter to allow ICMP Echo Request (type 8,

code 0) and Echo Reply messages (type 0, code 0) to pass to and from the gateways. In the

following example, the router addresses are 10.10.10.10 and 10.20.20.20:

pass out quick proto icmp from any to 10.10.10.10 icmp-type echo

pass in quick proto icmp from 10.10.10.10 to any icmp-type echorep

pass out quick proto icmp from any to 10.20.20.20 icmp-type echo

pass in quick proto icmp from 10.20.20.20 to any icmp-type echorep

11.2.2 ICMP Source Quench (ip_send_source_quench)

The ip_send_source_quench parameter enables or disables the ICMP source quench feature.

If you enable this feature, the system will send ICMP source quench messages if the inbound

buffer of an upper-layer module (TCP or UDP) is full.

HP recommends that you disable this feature in security-conscious topologies. Attackers can

exploit systems that send ICMP source quench messages to discover the IP addresses of systems

on a network.

Default ValueValid ValuesParameter Name

10 (disable)

1 (enable)

ip_send_source_quench

11.2.2.1 IPFilter Configuration

If you want to use the ICMP send source quench feature, configure IPFilter to allow outbound

ICMP source quench packets (type 4). For example:

11.2 Configuring ICMPv4 Kernel Parameters 103