HP 6125G HP Networking guide to hardening Comware-based devices - Page 25
Disable or limit IP Directed broadcasts, Filtering transit traffic with Transit ACLs
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 25 highlights
# undo ip redirects # For more information on the undo ip redirects command, see "IP Performance Optimization" in the Layer-3 IP Services Configuration Guide. Disable or limit IP Directed broadcasts IP Directed Broadcasts make it possible to send an IP broadcast packet to a remote IP subnet. Once it reaches the remote network, the forwarding IP device sends the packet as a Layer 2 broadcast to all stations on the subnet. This directed broadcast functionality has been leveraged as an amplification and reflection aid in several attacks, including the Smurf attack. Current versions of HP Comware products have this functionality disabled by default; however, it can be enabled via the ip forward-broadcast command. If a network absolutely requires directed broadcast functionality, its use should be controlled. This is possible using an access control list as an option to the ip forward-broadcast command. The following configuration example limits directed broadcasts to those UDP packets originating at a trusted network, 192.168.1.0/24: # acl number 3001 rule 0 permit udp source 192.168.1.0 0.0.0.255 # interface Ethernet 0/1/0 ip forward-broadcast acl 3001 # For more information about the ip forward-broadcast command, see "IP Performance Optimization Configuration" in the Layer-3 IP Services Configuration Guide. Filtering transit traffic with Transit ACLs ICMP packet filtering The Internet Control Message Protocol (ICMP) was designed as a control protocol for IP. As a result, the messages it conveys can have far-reaching ramifications on TCP and IP in general. ICMP is used by the network troubleshooting tools ping and traceroute, as well as by Path MTU Discovery; however, external ICMP connectivity is rarely needed for the proper operation of a network. HP Comware software provides functionality to specifically filter ICMP messages by name or type and code. The following example ACL allows ICMP from trusted networks while blocking all ICMP packets from other sources: # acl number 3000 name ACL-TRANSIT-IN # # Permit ICMP packets from trusted networks only # rule permit icmp source # # Deny all other ICMP traffic. # rule deny icmp # 25