Manualshelf

HP-UX IPFilter Version A.03.05.14 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
Rules and Keywords
IPFilter Keywords
Chapter 230
proto: Controlling Specific Protocols
IPFilter can filter traffic based on protocol, such as TCP or ICMP, using
the proto keyword.
For example, many Denial of Service (DoS) attacks rely on glitches in the
TCP/IP stack of the OS, in the form of ICMP packets. To block ICMP
packets, add the proto command to your ruleset as follows:
block in log quick on lan0 proto icmp from any to any
In this example, any ICMP traffic coming in from lan0 will be logged and
discarded.
IPFilter also has a shorthand for rules that apply to proto tcp and
proto udp at the same time, such as portmap or NFS. The rule for
portmap would be:
block in log quick on lan0 proto tcp/udp from any to
20.20.20.0/24 port = 111
opt and ipopts: Filtering on IP Options
IPFilter can filter packets based on IP options using the opt and ipopts
keywords. You can configure IPFilter rules to pass or block packets that
have a specific option set. For example:
block in quick all with opt lsrr, ssrr
NOTE If you configure IPFilter to filter on more than one option with the opt
keyword, use a comma and a space to delimit each option. See the
previous example for correct syntax.
You can also configure rules to pass or block packets that do not have a
specific option set. For example:
pass in from any to any with opt ssrr not opt lsrr
If you want to block or pass a packet that has any IP option set or no IP
options set, use the ipopts keyword. For example:
block in all with ipopts
For a complete list of IP options, see the IETF RFC at
http://www.faqs.org/rfcs/std/std2.html.