Manualshelf

HP-UX IPFilter Version A.03.05.14 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
81828384858687888990
Firewall Building Concepts
Using Keep State with ICMP
Chapter 4 69
Using Keep State with ICMP
The majority of ICMP messages are status messages generated by a
failure in UDP or TCP. For any ICMP error status message that matches
an active state table entry that might have generated that message,
IPFilter passes the ICMP packet. For example:
pass out on lan0 proto udp from any to any port 33434><33690
keep state
Even though an error status message (such as icmp-type 3 code 3
port unreachable or icmp- type 11 time exceeded) for the UDP
session is an ICMP packet, the keep state rule passes the error
message.
The two types of ICMP messages are requests and replies. You can
configure a rule to pass outbound echo requests such as ping. IPFilter
passes in the subsequent icmp-type 0 packet that returns. For example:
pass out on lan0 proto icmp from any to any icmp-type 8 keep
state
This state entry has a default timeout of an incomplete 0/0 state of 60
seconds.
NOTE If you configure rules to keep state on any outbound ICMP messages that
might receive a reply ICMP message, you must use both the proto icmp
and the keep state keywords.
To provide protection against a third party sneaking ICMP messages
through your firewall when an active connection is known to be in your
state table, check the incoming ICMP packet not only for matching
source and destination addresses (and ports, when applicable), but a tiny
part of the payload of the packet that the ICMP message is claiming it
was generated by.