Manualshelf

HP-UX IPFilter Version A.03.05.14 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
81828384858687888990
Firewall Building Concepts
Using Keep State
Chapter 4 67
To protect an SSH server using the keep state keyword, use the
following ruleset:
pass in quick on lan0 proto tcp from any to 20.20.20.1/32 port
= 22 keep state
pass out quick on lan0 proto tcp from any to any keep state
block in quick all
block out quick all
With this ruleset, IPFilter enters the first packet of a connection in the
state table. Other processing works as expected. When the three-way
handshake has been witnessed by the state engine, it is marked in 4/4
mode (the connection is marked as fully established). It is set up for
long-term data exchange until the connection is torn down; at that time
the mode will change again. You can see the current modes of your state
table using ipfstat. See “The ipfstat Utility” on page 86 for more
information.
NOTE The keep state keyword can create states even if it detects packets for a
connection that are part of the middle of a connection. The only exception
to this is when the flags S rule is also specified. In such a case, a state
would only be created when the SYN packet is detected.