HP-UX IPFilter Version A.03.05.14 Administrator's Guide

Rules and Keywords

IPFilter Keywords

Chapter 2 31

icmp-type: Filtering ICMP Traffic by Type

You can filter specific types of ICMP traffic using the icmp-type keyword.

This is a useful keyword if you want to block most ICMP traffic to

prevent DoS attacks, but must allow certain types of ICMP messages to

pass to your system.

For example if you want to specifically allow ping messages to pass on

your system, configure the following rule:

pass in quick on lan0 proto icmp from any to 20.20.20.0/24

icmp-type 0

You must know the type number for any ICMP message you want to

explicitly pass or block using the icmp-type keyword. The following is a

list of ICMP message type numbers used by HP-UX IPFilter.

TYPE CODE

icmp-type

icmp-code

MEANING

0 0 echorep ECHO REPLY (ping reply)

[RFC792]

3 unreach DESTINATION UNREACHABLE

0 net-unr network unreachable

1 host-unr host unreachable

2 proto-unr protocol unreachable

3 port-unr port unreachable [RFC792]

4 needfrag need fragmentation [RFC792]

5 srcfail source route failed [RFC792]

6 net-unk destination network unknown

7 host-unk destination host unknown

8 isolate source host isolated [RFC792]

(ping)

9 net-prohib destination network

administratively prohibited

[RFC1256]