Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
5.9.4 Extracting an individual rule from a subnet rule
To extract an individual rule from a subnet rule:
1. Add the new rule on the line before the subnet rule. Be sure the subnet or IP address range
rule is identical to the old rule.
When a new connection matches an existing limit entry, the new connection will be processed
by the new individual rule. The subnet or IP address range can be cumulative or noncumulative.
5.10 Enabling and disabling DCA
To use DCA, you must enable DCA mode. You can enable or disable DCA mode using the ipf
utility. If you want IPFilter to automatically enable DCA mode at system startup time, you must also
modify the /etc/rc.config.d/ipfconf file.
5.10.1 Enabling and disabling DCA using ipf
There is a single DCA mode for both IPv4 and IPv6 addresses. You can use the ipf command to
enable and disable DCA mode. You can also use ipf to query the state of DCA mode, and toggle
between enabled and disabled mode.
DCA mode is disabled by default. To enable DCA, use the following command:
ipf -m e
To disable DCA, use the following command:
ipf -m d
To query the current DCA setting, use the following command:
ipf -m q
You can toggle between being enabled or disabled by using the following command:
ipf -m t
5.10.2 Configuring IPFilter to enable DCA at system startup
Use the following procedure to configure IPFilter to automatically enable DCA at system startup::
1. Open /etc/rc.config.d/ipfconf, the IPFilter startup configuration file.
2. Set the DCA_START flag to 1 to enable DCA.
Alternatively, you can set the DCA_START flag to 0 to disable DCA. This is the default setting.
NOTE: When there are no keep limit rules and no connection allocation configured, HP
recommends that you disable DCA.
5.11 Using IPFilter utilities with DCA
The IPFilter utilities support subcommands to collect data about the connections that are being
controlled. This data includes the source and destination IP address, allocated number of
connections, number of active connections, and number of times the allocated quota of connections
was exceeded. These subcommands are as follows:
Section 10.1 (page 67).
ipf -Q interface_name
ipf -E interface_name
ipf -D interface_name
ipf -m option
40 Configuring and loading dynamic connection allocation (DCA) rules