HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

C HP-UX IPFilter kernel tunable parameters

C.1 Overview

HP-UX IPFilter supports the following kernel tunable parameters:

Default valueDescriptionName

86,400 secondsThe timeout period for TCP entries in the state table.fr_tcpidletimeout

800,000 entriesSpecifies the maximum number of state table entries that can

be created.

fr_statemax

0If set to 0, IPFilter allows ICMPv6 Router Discovery and

Neighbor Discovery messages to bypass normal IPFilter rule

processing and always pass through the system.

ipf_icmp6_passthru

8192 bytesSize of the IPFilter logging buffer for /dev/ipl.ipl_buffer_sz

1 (enabled)If enabled (set to 1), IPFilter does not write identical log

records separately, but counts them as Nx, where N is the

number of times the log record occurs.

ipl_suppress

0 (disabled)If enabled (set to 1), IPFilter includes the entire packet when

the log body keywords are specified in a rule. Otherwise,

it includes only the first 128 bytes.

ipl_logall

1 (enabled)Used to enable or disable NAT functionality. Value can be

0 or 1. This is supported on 11.23 and 11.31. It is modified

using the kctune command.

ipnat_enable

120 Sec

(enabled)

Used to set TCP state entry age at system level after

connection is closed. Value can be between 2-120 Sec. This

is supported only on 11.31. It is modified using the kctune

command.

fr_tcptimewait

120 SecUsed to set TCP NAT entry age at system level after

connection is closed. Value can be between 2-120 Sec. This

is supported only on 11.31. It is modified using the kctune

command.

frnat_tcptimewait

The following sections provide information about the remaining kernel tunable parameters and

how to use the kctune, kmtune, and ndd commands to configure these parameters.

C.2 fr_tcpidletimeout

The fr_tcpidletimeout is the timeout period for state table entries for TCP connections that

are established and idle. If the state table has an entry for an established TCP connection and no

packets match the state entry for that period, IPFilter deletes the entry.

Configuration utilityDefault valueRangeName

HP-UX 11i v1: kmtune

HP-UX 11i v2 and HP-UX 11i

v3: kctune

86,400 seconds

(24 hours)

HP-UX 11i v1: 300 - 86,400

seconds

HP-UX 11i v2 and HP-UX 11i v3:

240 - 86,400 seconds

fr_tcpidletimeout

C.1 Overview 111