Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
The system host1 is allowed to open only 10 concurrent connections. IPFilter blocks any subsequent
connection requests. Since log limit is set, each additional connection attempt is logged.
The log limit option generates two types of log records:
Alert Log records—created when a source IP address attempts to exceed its configured
connection limit. Every time the connection limit is exceeded, IPFilter creates an alert log record.
Summary Log records—created when a limit entry ceases to exist after all the connections for
that limit entry have been closed. A summary log record summarizes the connection activity
for a particular source IP address.
The format of an alert log record is:
date_time_stamp interface_name source_ip,source_
port -> destination_IP,destination_port protocol TCP_flags
keep_limit limit_type configured_limit current_#_of
connections #_times_limit_exceeded log_freq packet_direction
The format of a summary log record is:
Date and time stamp, Source IP, Source port, Destination IP,
Destination Port, protocol, TCP flags keep limit, Limit type,
Configured Limit, Current # of connections, # times limit
exceeded, Rule #, Time limit the entry was created
5.7.1 Summary logs and cumulative limits
You can write the summary log records for cumulative limits to the IPFilter log file using the ipmon
-r option. When ipmon -r is invoked, the summary log record is written and the connection
exceeded counter for each cumulative limit is set to zero.
NOTE: Unlike noncumulative limits, cumulative summary logs are not printed when all the
connections under a cumulative limit are closed.
The following is an example cumulative summary log:
06/02/2004 19:32:39.370000 LIMIT LOG 19.13.15.65-19.13.15.85,*
-> 0.0.0.0,23 PR ip Type 4 Cur Lim 1 Exceeded 1 @0:1 First Time
19:32:35.800000
The example log record was written for the following IP address range cumulative rule:
pass in log limit freq 1 quick proto tcp from
19.13.15.65-19.13.15.85 to any port = 23 keep limit 1 cumulative
In the example summary log, the source IP address displayed is actually the IP address range
specified in the rule. Wildcard IP addresses are shown as 0.0.0.0. The destination port information
is also printed from the rule. The other fields are similar to a noncumulative summary record.
For further information, see Section 9.3.2.4 (page 63).
5.8 Log frequency: log limit freq
Use the log limit freq num keyword to control the frequency at which alert log records are
logged.
For example, log limit is set to 10 and log limit freq is set to 3. The system begins
tracking exceeded connections at the eleventh connection. It logs every third exceeded connection,
that is the fourteenth, seventeenth, twentieth, and so on.
The log limit freq keyword can also be used with keep limit cumulative rules. For example:
pass in log limit freq 5 quick proto tcp from 18.9.90.0/24 to any keep limit 10 cumulative
In the previous rule, log limit freq 5 specifies that the log records should be printed for every
five connections that exceeds the connection limit of 10. If 100 connections are established, IPFilter
logs the eleventh, sixteenth, twenty-first, and so on.
5.8 Log frequency: log limit freq 37