HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

-r group:rule Displays the limit statistic by rule number. If you specify this option with the

-6 option, ipfstatdisplays the IPv6 rule; if you specify this option without

the -6 option, it displays the IPv4 rule.

-v Sets verbose mode. Use for debugging.

NOTE: Statistics counters cannot increment when both active in and out

rulesets are empty. This is due to a performance optimization that bypasses

IPFilter when there are no active rulesets present.

9.1.3 Examples

# ipfstat

dropped packets: in 0 out 0

non-data packets: in 0 out 0

no-data packets: in 0 out 0

non-ip packets: in 0 out 0

bad packets: in 0 out 0

copied messages: in 0 out 0

input packets: blocked 15 passed 2647 nomatch 2537 counted 0

short 0

output packets: blocked 0 passed 245 nomatch 141 counted 0

short 0

input packets logged: blocked 0 passed 0

output packets logged: blocked 0 passed 0

packets logged: input 0 output 0

TCP connections: in 5 out 50

log failures: input 0 output 0

fragment state(in): kept 0 lost 0

fragment state(out): kept 0 lost 0

packet state(in): kept 5 lost 0

packet state(out): kept 0 lost 0

ICMP replies: 0 TCP RSTs sent: 0

Invalid source(in): 0

Result cache hits(in): 14 (out): 0

IN Pullups succeeded: 0 failed: 0

OUT Pullups succeeded: 0 failed: 0

Fastroute successes: 0 failures: 0

TCP cksum fails(in): 0 (out): 0

Packet log flags set: (0)

none

The TCP Connections statistics are derived from the number of states added and are accurate

only when keep limit or keep state rules are used for all TCP connections.

For example, you have the following ruleset:

pass in log limit freq 500 quick proto tcp from any to any port = 80 keep limit 100

pass in log quick proto tcp from any to any port = 25 flags S keep state

pass in log quick proto tcp from any to any port = 23

pass out log quick proto tcp from any port = 23 to any

These rules only count connections that match the first two rules. Both the third and fourth rule allow

telnet connections but telnet connections are not counted, since the system is not keeping

state on these connections.

Example:

# ipfstat -ho

2451423 pass out on lan0 from any to any

354727 block out on ppp0 from any to any

430918 pass out quick on ppp0 proto tcp/udp from

20.20.20.0/24 From to any keep state keep frags

54 Troubleshooting HP-UX IPFilter