HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Rules and Keywords
IPFilter Keywords
Chapter 2 35
The following rules also work for UDP and ICMP:
block in quick on lan0 all
pass out quick on lan0 proto tcp from 20.20.20.1/32 to any keep
state
pass out quick on lan0 proto udp from 20.20.20.1/32 to any keep
state
pass out quick on lan0 proto icmp from 20.20.20.1/32 to any
keep state
flags: Tight Filtering Based on TCP Header Flags
You can use IPFilter to filter traffic by port number; you can additionally
filter traffic to or from a specific port based on the flags set in the TCP
header of the IP packet. Use the flags
<option>
keyword to filter
traffic by flags.
For example, to allow only packets with the SYN flag set through on
port 23, configure the following rules:
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port
= 23 flags S keep state
pass out quick on lan0 proto tcp from any to any flags S keep
state
block in quick all
block out quick all
Now only TCP packets destined for 20.20.20.1 at port 23 with a SYN flag
pass in and are entered into the state table. A lone SYN flag is only
present as the very first packet in a TCP session (called the TCP
handshake). These rules have at least two advantages:
• No arbitrary packets can come in and negatively impact the state
table.
• FIN and XMAS scans will fail; they set flags other than the SYN flag.
Flags S equates to flags S/AUPRFS and matches against only the SYN
packet, out of all six possible flags.
Flags S/SA allows packets that might or might not have the URG, PSH,
FIN, or RST flags set. Some protocols demand the URG or PSH flags.
S/SAFR would be a better choice for these protocols.
It is more secure to use flags S when flags S/SA is not required.