HP-UX IPFilter Version A.03.05.14 Administrator's Guide

HP-UX IPFilter Configuration Examples
example.sr
Appendix A 167
example.sr
# log all inbound packets on lan0 which has IP options present
# log in on lan0 from any to any with ipopts
#
# block any inbound packets on lan0 which are fragmented and
# "too short" to do any meaningful comparison on. This actually
# only applies to TCP packets which can be missing the
# flags/ports (depending on which part of the fragment you
# see).
#
block in log quick on lan0 from any to any with short frag
#
# log all inbound TCP packets with the SYN flag (only) set
# (NOTE: if it were an inbound TCP packet with the SYN flag
#set and it had IP options present, this rule and the above
#would cause it to be logged twice).
#
log in on lan0 proto tcp from any to any flags S/SA
block and log any inbound ICMP unreachables
block in log on lan0 proto icmp from any to any icmp-type
unreach
block and log any inbound UDP packets on lan0 which are going
to port 2049 (the NFS port).
block in log on lan0 proto udp from any to any port = 2049
#
# quickly allow any packets to/from a particular pair of hosts
#
pass in quick from any to 10.1.3.2/32
pass in quick from any to 10.1.0.13/32
pass in quick from 10.1.3.2/32 to any
pass in quick from 10.1.0.13/32 to any
#
# block (and stop matching) any packet with IP options present.
#
block in quick on lan0 from any to any with ipopts
#
# allow any packet through
#
pass in from any to any