HP-UX IPFilter Version 17 Administrator's Guide

3 Configuring and Loading IPv4 Filter Rules................................................................25
3.1 IPv4 Filter Rules Configuration File................................................................................................27
3.1.1 Format.....................................................................................................................................27
3.1.2 Rule Order and Processing......................................................................................................27
3.2 Basic Rule Syntax: Specifying the Action, Direction, Protocol, IP Addresses, and Ports...............28
3.2.1 pass and block: Specifying the Filter Action...........................................................................28
3.2.2 in and out: Specifying the Filter Direction..............................................................................28
3.2.3 proto: Specifying the Upper Layer Protocol...........................................................................28
3.2.4 from and to: Specifying IP Addresses and Subnets................................................................28
3.2.4.1 Examples.........................................................................................................................29
3.2.4.2 all: Specifying All IP Addresses......................................................................................29
3.2.4.2.1 Example...................................................................................................................29
3.2.5 port: Specifying TCP and UDP Ports......................................................................................29
3.2.5.1 Service Names.................................................................................................................30
3.3 Rate-based Filtering.........................................................................................................................30
3.4 Processing Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces....31
3.4.1 Option Order...........................................................................................................................31
3.4.2 log: Logging Packets................................................................................................................31
3.4.3 quick: Optimizing IPFilter Rules Processing..........................................................................31
3.4.4 on: Filtering by Network Interfaces........................................................................................32
3.5 Protocol Options: TCP Flags, IP Options and Fragments, ICMP Types and State Information.....33
3.5.1 Option Order...........................................................................................................................33
3.5.2 flags: Specifying TCP Header Flags........................................................................................33
3.5.3 with opt and ipopts: Specifying IP Options............................................................................34
3.5.3.1 not opt: Specifying Options Not Set................................................................................34
3.5.3.2 ipopts: Specifying Any IP Options..................................................................................34
3.5.4 with frag and with short: Selecting Fragmented IP Packets...................................................35
3.5.4.1 with frag: Selecting IP Packet Fragments........................................................................35
3.5.4.2 with short: Selecting Short Fragments............................................................................35
3.5.5 icmp-type and code: Filtering ICMP Traffic by Type and Code.............................................35
3.5.6 keep state: Protecting TCP, UDP, and ICMP Sessions.............................................................35
3.5.6.1 Allocating Memory for the State Table...........................................................................36
3.5.6.2 Using Keep State with TCP.............................................................................................36
3.5.6.2.1 Idle Timeout............................................................................................................37
3.5.6.3 Using Keep State with UDP............................................................................................37
3.5.6.3.1 Idle Timeout............................................................................................................37
3.5.6.4 Using Keep State with ICMP...........................................................................................37
3.5.6.4.1 Idle Timeout............................................................................................................37
3.5.6.4.2 ICMP Error Status Messages...................................................................................37
3.5.7 State Aging..............................................................................................................................37
3.5.7.1 Rule Examples.................................................................................................................38
3.5.8 keep frags: Handling IP Fragments........................................................................................38
3.6 Sending Responses for Blocked TCP and UDP Packets..................................................................39
3.6.1 return-rst: Responding to Blocked TCP Packets.....................................................................39
3.6.2 return-icmp-as-dest: Responding to Blocked UDP Packets....................................................39
3.7 Improving Performance with Rule Groups ....................................................................................40
3.8 Loading IPv4 Filter Rules................................................................................................................42
3.8.1 Verifying IPv4 Filter Rules......................................................................................................42
3.8.2 Removing IPFilter Rules..........................................................................................................43
3.9 Rule Tags.........................................................................................................................................43
3.9.1 Log Tags...................................................................................................................................43
3.9.2 NAT Tags.................................................................................................................................43
4 Table of Contents