Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering HP-UX IPFilter > Chapter 3 Advanced Firewalling

Responding to a Blocked Packet
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

In the previous examples, blocked packets have been dumped on the floor, logged or not, and no reply has been sent back to the originating host. Sometimes this isn't the best response because by doing so, the attacker knows that a packet filter is present. An improvement would be to misguide the attacker into believing that, while there's no packet filter running, there are also no services to break in to. This is where more refined blocking becomes useful.

When a service isn't running on a UNIX system, it normally notifies the remote host with a return packet. In TCP, this is done with an RST (Reset) packet. When blocking a TCP packet, IPFilter returns an RST packet to the origin when the return-rst keyword is used.

For example:

block return-rst in log on lan0 from any to 20.20.20.0/24 proto  tcp port = 23
block in log quick on lan0     
pass in all

This example has two block statements since return-rst only works with TCP; it still blocks UDP and ICMP protocols. When this is done, the remote side receives a "connection refused" message instead of a "connection timed out" message.

It is also possible to send an error message when a packet is sent to a UDP port on your system. In previous examples you might have observed:

block in log quick on lan0 proto udp from any to 20.20.20.0/24  port = 111

You could instead use the return-icmp keyword to send a reply:

block return-icmp(port-unr) in log quick on lan0 proto udp from  any to 20.20.20.0/24 port

According to TCP/IP Illustrated, port-unreachable is the correct ICMP type to return when no service is listening on the port in question. You can use any ICMP type, but port-unreachable is probably the best. It's also the default ICMP type for return-icmp.

When using return-icmp, you'll notice that it returns the ICMP packet with the IP address of the firewall, not the original destination of the packet. Use the return-icmp-as-dest keyword to return the original destination of the ICMP packet. The format is:

block return-icmp-as-dest(port-unr) in log on lan0 proto udp  from any to 20.20.20.0/24 port = 111


FIN Scan Detection; flags Keyword, keep frags Keyword
  		 


Logging Techniques  
Printable version
Privacy statement Using this site means you accept its terms
© 2002 Hewlett-Packard Development Company, L.P.