Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
For example, to allow 10 outbound packets per second from any source address to the destination
address 10.1.1.42:
pass out from any to 10.1.1.42/32 pps 10
NOTE: This is available only on HP-UX 11i v3.
3.4 Processing options: logging packets, optimizing rule processing, and
specifying interfaces
IPFilter supports options to perform the following processing options:
Log packet information (log)
If the filter matches the packet, immediately apply the rule action and stop searching for rules
(quick)
Apply the rule only to the specified interface (on)
3.4.1 Option order
If you specify processing options, you must insert them after the in or out keyword:
block|pass in|out [processing_options] [proto protocol] ip_selector
If you specify more than one processing option, you must specify them in the following order:
1. log
2. quick
3. on
For example:
block in log quick on lan0 from 20.20.20.0/24 to any
3.4.2 Logging packets: log
The log keyword directs IPFilter to log incoming and outgoing packets. Logging enables you to
determine if your IPFilter system is being attacked, and records information about the packets. You
can use the log keyword with any IPFilter rule.
TIP: In most cases, it is not necessary to log every passed packet. Administrators often log only
blocked packets, and, in some cases, log only selected blocked packets. HP recommends that you
select the most important rules or the rules that are most likely to block attacks on your system and
log only those rules. Indiscriminate logging can clutter a log file and make it difficult to detect
notable events.
For example, if you want to log blocked packets from a specific subnet, such as 20.20.20.0/24,
use the following rule:
block in log from 20.20.20.0/24 to any
NOTE: You can use the log keyword with several other options to control and enhance logging
functionality and performance. See Section 9.3 (page 60) for more information.
3.4.3 Optimizing IPFilter rules processing: quick
By default, HP-UX IPFilter evaluates the entire ruleset for each packet and selects the last rule that
matches the packet. The quick keyword enables you to control rule processing and reduce the
overhead of running IPFilter on your system. If IPFilter matches a packet to a rule that contains the
quick keyword, IPFilter immediately selects that rule without continuing to evaluate the other rules
in the ruleset. For example, a ruleset contains the following rules:
3.4 Processing options: logging packets, optimizing rule processing, and specifying interfaces 19