Manualshelf

Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
101102103104105106107108109110
104 Chapter 5
Security Techniques
Building a Stanza - Specifics
all Keyword
The special keyword ‘all’ matches any packet. It typically appears at the
end of a filter to either permit or block all unspecified packets. The
software automatically implicitly adds ‘!all’ at the end of a stanza list if
the last stanza is not negated, and ‘all’ at the end of a stanza list if the
last stanza is negated. While not strictly necessary, it is a good idea to
explicitly state your preference.
Time-Based Keywords
You may add time-based restrictions to your packet filter, limiting the
types of traffic passing through the packet filter during the workday, or
enabling additional access after business hours or on weekends.
Two keywords define time-based rules. They are the ‘weekday’ and
‘daytime’ keywords.
The syntax for using the keyword ‘weekday’ in a qualifier is
'weekday=when', where ‘when’ is a string indicating the days the rule
should be applied. The ‘when’ portion may be a list containing any of
‘Su’, ‘Mo’, ‘Tu’, ‘We’, ‘Th’, ‘Fr’ or ‘Sa’.
Example :
ftp/syn/send/weekday=MoTuWeThFr
# prevents any weekday outbound ftp connection requests
The syntax for the keyword ‘daytime’ qualifier is ‘daytime=time’, where
‘time’ is a string that indicates the hours of a day the rule should be
applied. You may indicate hours in a range (for example,
‘daytime=0800-1800’).
Example:
ftp/syn/send/weekday=MoTuWeThFr/daytime=0800-1800
# prevents weekday outbound ftp connection requests
# between 8am and 6pm.
Unreach Keyword and Sending ICMP
Messages
In addition to permitting the packet to be passed or blocked, keywords
also allow you to specify additional actions to take with any packet that
matches the template. For example, you can silently drop the packet
and/or send an ICMP message to notify the sender of the action.