HPE Community
Operating System - HP-UX
1826452 Members
3955 Online
109692 Solutions
New Discussion

Re: Ipfilter + icmp

 
SOLVED
Go to solution
CowBoy
Regular Advisor

‎07-05-2008 08:07 PM

‎07-05-2008 08:07 PM

Ipfilter + icmp

Dear All
Hi
I have a problem with ipfileter.
when i block all icmp packets by:
"block in log proto icmp all" in ipf.conf
after 10 seconds i'll lose all the connection to the server and i dont know what cause this problem.
Thanks a lot
0 Kudos
Reply
6 REPLIES 6
Matti_Kurkela
Honored Contributor

‎07-06-2008 02:51 AM

‎07-06-2008 02:51 AM

Re: Ipfilter + icmp

If you're not in the same network segment as your server, it's probably the Dead Gateway Detection.

Blocking all ICMP will block the ping packets required for the Dead Gateway Detection, and HP-UX will assume your gateway has died and stops using it. Of course, this will seriously damage your server's network connectivity.

Blocking all ICMP will also break other things: it prevents you from using Path MTU Discovery (which is used automatically by all modern OSs), and it makes many network errors harder to diagnose as your ipfilter drops the ICMP packets that would tell your server what the error is.
http://en.wikipedia.org/wiki/PMTUD
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol


If you want to filter ICMP, I'd recommend the following filtering rules, in this order:

1.) Drop all oversize ICMP packets. Anything longer than about 200 octets(=bytes) measured at the IP protocol level is clearly excessive.

2.) Allow ICMP packets with ICMP type 3 (=Destination Unreachable): these give you helpful information in error situations and one sub-type of them is required for Path MTU Discovery.

3.) Allow ICMP packets with ICMP type 11 (=Time Exceeded), as they are helpful in identifying error situations (routing loops) and allow the ICMP-based mode of traceroute to bring information back to you.

4.) Allow ICMP packets with ICMP type 12 (=Parameter Problem) as they are helpful in identifying error situations.

5.) If the structure of your network requires redirects to work, accept them from valid routers only (i.e. your default gateway and other routers if your network has them)

6.) Allow ICMP type 8 and type 0 (echo-request and echo-reply, also known as ping packets) at least to your gateway(s), so you don't need to disable Dead Gateway Detection.

Blocking ping packets will make network troubleshooting more difficult, so you might want to allow all pings inside your own network to pass through.

http://coombs.anu.edu.au/~avalon/ipfilfaq.html#ques34

(If possible, I usually prefer rate-limiting the ping packets to a maximum of 10 pings per second instead of blocking them. However, I could not quickly find a way to do that using ipfilter.)

7.) Drop all other ICMP packets.

MK
MK
0 Kudos
Reply
CowBoy
Regular Advisor

‎07-06-2008 04:04 AM

‎07-06-2008 04:04 AM

Re: Ipfilter + icmp

Thanks Matti
But I dont know what should i do because i am loosing even ssh to my server.
I just block icmp type 0,8 but still the result is the same.
Do you have any idea about this problem.
PS:both servers are in the same segment.
ipfilter on rp3440(hp-ux 11.23)
client is windows
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-06-2008 02:55 PM

‎07-06-2008 02:55 PM

Re: Ipfilter + icmp

Make sure you have all your HP-UX servers connected to a separate maintenance subnet for the GSP/MP ports. This will allow you to still reach the server(s) through the console port when experimenting with ipfilter. There are many other reasons that you want a separate maintenance subnet.


Bill Hassell, sysadmin
0 Kudos
Reply
CowBoy
Regular Advisor

‎07-06-2008 08:17 PM

‎07-06-2008 08:17 PM

Re: Ipfilter + icmp

hi
I can reach the server by console port but my problem is that i dont know why i lost ssh connection when icmp was blocked.
thanks
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎07-08-2008 12:15 AM

‎07-08-2008 12:15 AM

Solution

Re: Ipfilter + icmp

Are you blocking anything other than ICMP?

The delay of 10 seconds might be enough for a MAC address cache to time out. If your server is blocked from using ARP, any TCP/IP communication will fail.

Configure your ipfilter to log all the packets it is blocking, then test it. Some of those blocked packets are obviously important. If you can, post the log here. Post the ipf.conf you're using, too.

Talk with whoever takes care of your network router(s), firewall(s) and/or switch(es). If your network has some special requirements, the network admin should know about them.

If not, you'll have to find out what is happening in between your server and your ssh client - and you may not be able to get this information without the network admin's help.

MK
MK
Reply
CowBoy
Regular Advisor

‎07-08-2008 12:41 AM

‎07-08-2008 12:41 AM

Re: Ipfilter + icmp

hi
This is the ipf.conf:
block in log quick on lan2 proto icmp from any to any
block in log quick on lan2 proto tcp from any to any port = 23

When I add lan900(using HO-APA) the connction to the server will be lost
block in log quick on lan900 proto icmp from any to any
thanks
PS:I have two lan interface
lan2:172.17.1.30
lan900(Port:0,1):192.168.41.30
in syslog file when i recieve echo request/reply from lan900 i will lose everything till stopping ipf
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.