HP-UX IPFilter A.03.05.13 Administrator's Guide: HP-UX 11i v3
Table Of Contents
- HP-UX IPFilter Version A.03.05.13 Administrator's Guide
- Legal Notices
- Table of Contents
- Preface: About This Document
- 1 Installing and Configuring HP-UX IPFilter
- Overview of HP-UX IPFilter Installation
- Step 1: Checking HP-UX IPFilter Installation Prerequisites
- Step 2: Loading HP-UX IPFilter Software
- Step 3: Determining the Rules for IPFilter
- Step 4: Adding Rules to the Rules Files
- Step 5: Loading IPFilter and NAT Rules
- Step 6: Verifying the Installation and Configuration
- Kernel Tunable Parameters
- Supported and Unsupported Interfaces
- Troubleshooting HP-UX IPFilter
- 2 HP-UX IPFilter on HP-UX 11i Version 3
- 3 Rules and Keywords
- IPFilter Configuration Files
- Basic Rules Processing
- IPFilter Keywords
- pass and block: Controlling IP Traffic
- in and out: Bidirectional Filtering
- quick: Optimizing IPFilter Rules Processing
- on: Filtering by Network Interfaces
- from and to: Filtering by IP Addresses and Subnets
- log: Tracking Packets on a System
- proto: Controlling Specific Protocols
- opt and ipopts: Filtering on IP Options
- icmp-type: Filtering ICMP Traffic by Type
- port: Filtering on TCP and UDP Ports
- keep state: Protecting TCP, UDP, and ICMP Sessions
- flags: Tight Filtering Based on TCP Header Flags
- keep frags: Letting Fragmented Packets Pass
- with frags: Dropping Fragmented Packets
- with short: Dropping Short Fragments
- return-rst: Responding to Blocked TCP Packets
- return-icmp: Responding to Blocked ICMP Packets
- dup-to: Drop-Safe Logging
- NAT Keywords
- 4 Dynamic Connection Allocation
- 5 Firewall Building Concepts
- Blocking Services by Port Number
- Using Keep State
- Using Keep State with UDP
- Using Keep State with ICMP
- Logging Techniques
- Improving Performance with Rule Groups
- Localhost Filtering
- Using the to
- Creating a Complete Filter by Interface
- Combining IP Address and Network Interface Filtering
- Using Bidirectional Filtering Capabilities
- Using port and proto to Create a Secure Filter
- 6 HP-UX IPFilter Utilities
- 7 HP-UX IPFilter and FTP
- 8 HP-UX IPFilter and RPC
- 9 HP-UX IPFilter and IPSec
- 10 HP-UX IPFilter and Serviceguard
- A HP-UX IPFilter Configuration Examples
- B HP-UX IPFilter Static Linking
- C Performance Guidelines
- Index
HP-UX IPFilter Utilities
The ipfstat Utility
Chapter 698
The following is an example of the output information of the ipfstat
-sl option:
#ipfstat -sl
empty list for ipfilter(out)
1 pass in quick proto tcp from 15.13.106.175/32 to any keep
state
# ipfstat -sl
15.13.106.175 -> 15.13.137.135 ttl 872678 pass 0x500a pr 6
state 4/4
pkts 31 bytes 1564 57906 -> 23 22c0861c:712c2bd9
32768:32768
cmsk 0000 smsk 0000 isc 0000000000000000 s0 22c085e0/712c2b7f
sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1]
[\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0]
pass in quick keep state IPv4
pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in lan0[00000000480baf00] out -[0000000000000000]
The following is an example of the output information of the ipfstat -L
option.
Current connections to limited IP addresses
Connection Type Active Limits
Individual 2
Subnet 3
Cumulative 5
Unknown IP 9
Total 19
No Memory 0
Logged Records 13
Log Failures 0
Limits Added 13
Add Failures 0
• The first six lines display the number of current active connections of
each described type.
• No Memory is the number of times a limit entry could not be created
because no memory was available. If this is a non-zero, positive
value, then the system memory should be checked and, if necessary,
increased.
• Logged Records is the number of limit entries logged, both
summary and alert log records.