HP-UX IPFilter Version 17 Administrator's Guide

6.2 NAT Keywords

IPFilter supports the following keywords for NAT (Network Address Translation) functionality:

• map and mapblock

The map and mapblock keywords rewrite or translate source addresses and port numbers

for outbound packets.

• rdr

The rdr keyword redirects and translates destination addresses and port numbers for

inbound packets.

• bimap

The bimap keyword translates addresses and port numbers for inbound and outbound

packets.

• age

The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only

TCP is supported. NAT provides the frnat_tcptimewait tunable to set the system level

timeout.

NOTE: This is available only on HP-UX 11i v3.

NOTE: The maximum number of concurrent NAT connections IPFilter supports is 16,383.

6.2.1 Rule Examples

To pass outbound ICMP echo requests and keep state entry for 30 Sec until it receives ICMP

reply:

pass out on lan0 proto icmp from any to any icmp-type 8 keep state age 30

To keep UDP state entry for 40 Sec until it receives UDP reply back:

pass out on lan0 proto udp from any to any port 33434><33690 keep state age 40

To keep TCP state entry for 60 Sec after connection has been closed:

IMPORTANT: Use age in TCP rule only in case of a DOS-type attack (ACK flood and so forth)

because it modifies the timeout value of TIME_WAIT state in the TCP state table which can cause

duplicate Initial Sequence Numbers (ISN).

pass out on lan0 proto tcp from any to any port 33434><33690 keep state age 60

6.2 NAT Keywords 65