HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

• Consolidate rules whenever possible, to minimize searching. For example:

pass in quick proto tcp from 15.13.103.72 to any keep limit 80

pass in quick proto tcp from 15.13.103.0-15.13.103.6 to any keep limit 44

pass in quick proto tcp from 15.13.103.7 to any keep limit 33

pass in quick proto tcp from 15.13.103.8 to any keep limit 33

pass in quick proto tcp from 15.13.103.9 to any keep limit 33

pass in quick proto tcp from 15.13.103.10-15.13.103.255 to any keep limit 44

pass in quick proto tcp from 15.13.104.0/24 to any keep limit 44

pass in quick proto tcp from 15.13.105.0/24 to any keep limit 44

pass in quick proto tcp from 15.13.106.0/24 to any keep limit 44

pass in quick proto tcp from 15.13.107.0-15.13.107.78 to any keep limit 44

The previous ruleset can be condensed to the following:

pass in quick proto tcp from 15.13.103.0-15.13.107.78 to any keep limit 33 head 1

pass in quick proto tcp from 15.13.103.72 to any keep limit 80 group 1

pass in quick proto tcp from !15.13.103.7-15.13.103.9 to any keep limit 44 group 1

• For keep limit rules, avoid the cumulative rule whenever possible.

If a large number of connections have the same source IP, destination IP, and destination port,

system performance is impacted by cumulative rules. Non-cumulative keep limit rules keep

a cache based on the source IP, destination IP, and destination port. Cumulative rules do not

keep a cache based on these parameters.

E.4 Traffic

To manage IPFilter for optimal system performance:

• Keep the state entries at a manageable level. A large number of state entries requires many

CPU cycles to process them. Too many state entries can cause noticeable performance

degradation on a system.

• Keep packet searches on rulesets as short as possible. On a 750-MHz PA-RISC system, a

1000 to 2000 rule search is acceptable. If IPFilter traffic is light, a 5000 rule search is the

recommended maximum. The optimal number of rules is dependent on your specific operating

environment, including factors such as type of rules and amount of traffic.

• Keep IPFilter traffic at a manageable level. Do not run at peak load all the time. Keep the

average CPU usage rate at around 60% to accommodate unexpected peak loads. At peak

load times the system compensates with schemes such as dropping packets. However, it is

never a good idea to push a system beyond its intended capacity.

For example, the normal region in Figure 9 (page 120) shows normal system operation. The system

should not operate in the marginal region for a long period of time. Configure your system to raise

an alarm if the system reaches the critical level. Define these criteria based your operating

environments.

E.4 Traffic 119