Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
ICMP—60 seconds
UDP—120 seconds
TCP—120 seconds
You can override the TCP default value when the connection is closed using the fr_tcptimewait
tunable, or by using the age option on a per-rule basis. The value specified in the rule gets priority
over the tunable value set at system level.
The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP
is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout.
NOTE: This is available only on HP-UX 11i v3.
3.5.7.1 Rule Examples
To pass outbound ICMP echo requests and keep state entry for 30 Sec until it receives ICMP
reply:
pass out on lan0 proto icmp from any to any icmp-type 8 keep state age 30
To keep UDP state entry for 40 Sec until it receives UDP reply back:
pass out on lan0 proto udp from any to any port 33434><33690 keep state age 40
To keep TCP state entry for 60 Sec after connection has been closed:
IMPORTANT: Use age in TCP rule only in case of a DOS-type attack (ACK flood and so forth)
because it modifies the timeout value of TIME_WAIT state in the TCP state table which can cause
duplicate Initial Sequence Numbers (ISN).
pass out on lan0 proto tcp from any to any port 33434><33690 keep state age 60
3.5.8 keep frags: Handling IP Fragments
You can configure IPFilter to keep information about IP packets and to select subsequent IP
packet fragments. The keep frags keyword lets you configure IPFilter to pass fragmented
packets while blocking packets that might be forgeries or port scans trying to attack the system.
The keep frags option is valid only when used with the keep state option.
In the following example, the first two rules define the valid packets that are allowed to pass.
The keep state and keep frags keywords enable related IP fragments for those packets to
pass. The third and fourth block and log all other packets.
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port = 23 flags S keep state keep frags
pass out quick on lan0 proto tcp from any to any keep state flags S keep frags
block in log quick all
block out log quick all
In this example, every valid packet is entered into the state table before the blocking rules are
processed. To further protect the system, log initial SYN packets to detect SYN scans.
38 Configuring and Loading IPv4 Filter Rules