HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Rules and Keywords
IPFilter Keywords
Chapter 2 37
return-rst: Responding to Blocked TCP Packets
When you use the block keyword as described in “pass and block:
Controlling IP Traffic” on page 26, the blocked packet is dropped and no
response is sent to the remote system the packet. This can be a security
risk, because it might alert an attacker that a packet filter is running on
the system.
When a service is not running on a UNIX system, it normally notifies the
remote host with a return packet. In TCP, this is done with a Reset (RST)
packet. To configure IPFilter to return an RST packet to the origin, use
the return-rst keyword. For example:
block return-rst in quick on lan0 proto tcp from HostA to any
port = 23
pass out quick on lan0 proto tcp from any port = 23 to any
flags R/RSFUP
The first rule blocks the telnet connection from HostA and generates a
TCP RST packet. The second rule is necessary to let out the packet.
This example has two block statements since return-rst only works
with TCP; it still blocks UDP and ICMP protocols. When this is done, the
remote side receives a Connection Refused message instead of a
Connection Timed Out message.
return-icmp: Responding to Blocked ICMP Packets
You can configure IPFilter to send an error message when a packet is
sent to a UDP port on your system. For example:
block return-icmp(port-unr) in log quick on lan0 proto udp from
any to 20.20.20.0/24 port
The port-unreachable (port-unr) message is the default for a
return-icmp message. HP recommends that you use this message when
configuring most return-icmp rules.
When rules with return-icmp are configured, IPFilter returns the ICMP
packet with the IP address of the firewall, not the original destination of
the packet. Use the return-icmp-as-dest keyword to return the
original destination of the ICMP packet. The format is:
block return-icmp-as-dest(port-unr) in log on lan0 proto udp
from any to 20.20.20.0/24 port = 111