Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
NOTE: The keep state keyword can create state entries even if it detects packets for a
connection that are part of the middle of a connection. The only exception to this is when the
rule specifies flags S. In this case, IPFilter creates a state table entry only when a TCP packet
with the SYN flag set is sent, and TCP sends these packets only at connection establishment time.
3.5.6.2.1 Idle Timeout
By default, IPFilter keeps TCP state table entries for idle, established TCP connections for 86,400
seconds (24 hours). If the connection is idle (no packets match the entry) for this time period,
IPFilter deletes the entry.
You can change the idle timeout value for TCP entries by modifying the fr_tcpidletimeout
kernel parameter. See “fr_tcpidletimeout” (page 144) for more information.
3.5.6.3 Using Keep State with UDP
You can configure IPFilter rules for UDP connections using the keep state keyword. IPFilter
adds an entry to the state table to match packets matching the filter specification in both directions.
For example:
pass out on lan0 proto udp from any to any port 33434><33690 keep state
3.5.6.3.1 Idle Timeout
If a UDP state table entry is idle (no packets match the entry) for 120 seconds, IPFilter deletes
the entry.
3.5.6.4 Using Keep State with ICMP
For some ICMP messages, the ICMP protocol defines a request and a corresponding reply
message. For example, the ICMP echo request (ICMP type 8) message (sent by the ping utility)
has a corresponding ICMP echo reply (ICMP type 0) message. You can configure a rule to pass
outbound ICMP echo requests and to pass in the subsequent ICMP echo replies. For example:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state
NOTE: To configure rules to keep state on any outbound ICMP messages that might receive a
reply ICMP message, you must specify both the proto icmp and the keep state options.
To prevent an attacker from sending ICMP messages through your firewall when an active
connection is known to be in your state table, check the incoming ICMP packet type and code,
if applicable, in addition to the source and destination addresses (and ports, if applicable).
3.5.6.4.1 Idle Timeout
If an ICMP state table entry is idle (no packets match the entry) for 60 seconds, IPFilter deletes
the entry.
3.5.6.4.2 ICMP Error Status Messages
If TCP or UDP generates an ICMP error status message for a packet that matches an active state
table entry IPFilter will apply the rule for the TCP or UDP rule to the ICMP packet. For example:
pass out on lan0 proto udp from any to any port 33434><33690 keep state
If UDP generates an ICMP error status message (such as icmp-type 3 code 3 port
unreachable or icmp- type 11 time exceeded) for this UDP session, IPFilter will apply
the rule to the ICMP packet and allow it to pass.
3.5.7 State Aging
The system-defined state entry timeout values are:
3.5 Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information 37