Manualshelf

Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
111112113114115116117118119120
120 Chapter 5
Security Techniques
Closed Policy Filter Example
Do not allow any incoming packets with the Source Route option set in
the IP header. Respond with an ICMP Destination Unreachable
message with the Source Route Failed code value.
!192.168.199.0/recv/src/unreach=net # Block IP spoofing attacks
!192.168.199.0/send/dst/unreach=net # Block IP spoofing attacks
Block any incoming packets that claim to be from your net, and block any
outgoing packets that claim to be destined for your net. Respond with an
ICMP Destination Unreachable message with the Bad Net code value.
!127.0.0.0;8 # Block IP spoofing attacks
Silently block all packets that claim to be either to or from the loopback
network.
dstport=nntp/dstaddr=192.168.199.10/srcaddr=10.0.5.6
dstport=nntp/srcaddr=192.168.199.10/dstaddr=10.0.5.6
dstport=nntp/dstaddr=192.168.199.10/srcaddr=172.31.12.13
dstport=nntp/srcaddr=192.168.199.10/dstaddr=172.31.12.13
!nntp/unreach=rst
Allow Network News (Usenet) exchanges with only your known news
neighbors (10.0.5.6 and 172.31.12.13) and your news server
192.168.199.10). Block any other NNTP traffic, and respond with a TCP
RST message.
domain/tcp/192.168.199.11/dst/syn/recv # (53/tcp)
!domain/tcp/syn/recv
domain/tcp/192.168.199.11
Allow outside hosts to obtain Domain Name Service zone transfers only
if your end of the stream is really being handled by your domain name
server. In this example, you first permit inbound requests to the domain
name server, then block all other inbound requests, and finally allow any
TCP packets to pass over the link if they are to or from the host
192.168.199.11 and to or from the domain port to pass over the link. The
sender will not be notified that the packets are being dropped.
dstport=domain/udp/192.168.199.11 # permit domain queries (53/udp)
!domain # block domain (53/tcp, 53/udp)
Allow Domain Name Service (DNS) queries to and from the DNS server.
Block all other domain requests. This second rule is not strictly
necessary, since the final rule is ‘!all’, however adding this rule makes it
failsafe.
smtp/192.168.199.14/dst/syn/recv # (25/tcp)
!smtp/syn/recv
smtp