HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Firewall Building Concepts
Using the to Keyword to Capture Blocked Packets
Chapter 4 75
Using the to Keyword to Capture Blocked
Packets
You can use the to keyword apart from the from keyword. If you want to
block a packet, you can use the to keyword to push the packet past the
normal routing table and force it to go out on a different interface. For
example:
block in quick on lan0 to lan1 proto tcp from any to any port <
1024
This rule blocks incoming packets, but also forces them over to the lan1
interface, where they can be logged. If you log blocked packets this way,
you can then analyze blocked traffic for possible attacks on the system.
Use block quick for to interface routing because the to interface code
will generate two packet paths through IPFilter when used with pass.
NOTE If you are configuring rules to pass packets, but also want the packets to
go to another interface, use the dup-to keyword. See “dup-to: Drop-Safe
Logging” on page 38.