Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
61626364656667686970
Field 5—Packet source, in the format ip_address,port
Field 6—Packet destination, in the format ip_address,port
Field 7 and 8—Protocol
Field 9—Packet size
Field 10—Flags set on packet
Use the ipfstat -in command to determine the text of the rule that created the log entry. In the
previous example, you would use this command to look at rule 2 in rule group 0 (@0:2).
IPFilter sometimes logs a packet matching a keep state rule in the normal (non-state) IPFilter log
file. This occurs when a packet matching a keep state rule has the same sequence number as
a packet matching a normal (non-state) rule that has logging enabled. IPFilter. This may also occur
when a packet matching a keep state rule is the last packet in a stateful connection and arrives
after IPFilter has deleted the state table entry.
Example:
#ipfstat -n
12:46:12.470951 lan0 @0:1 S 20.20.20.254 -> 255.255.255.255 PR icmp len 20 9216 icmp 9/0
This is a ICMP router discovery broadcast packet. It is indicated by the ICMP type 9/0.
9.3.2.4 ipmon and DCA logging
DCA logging uses different device files than normal IPFilter logging. The DCA module writes alert
log records to /dev/ipl and writes summary log records to /dev/iplimit. To view the summary
records, use ipmon with the -A option. Using ipmon -A prints a summary log for a limit entry
before the entry being removed from the limit table.
Example:
ipmon -A /dev/iplimit > $LOGDIR/limit_summary.log &
You can use ipmon -r to print the summary records to the log file for all existing limit entries that
are active. For example, you have the following rule configured:
pass in log limit quick proto tcp from host1 to Server keep limit 10
If host1 creates 70 connections, then 10 connections are let through and remaining 60 are
blocked, which is the block count. When ipmon -r is called, a summary record is logged to the
summary log records and the block count is set to 0. This is useful in a case where host1 created
many connections and has a large block count, but subsequently has connections that are within
the connection limit.
ipmon -r works only on active limit entries. If there are no limit entries, ipmon -r does not log
any Summary Log records. Summary logs are printed only for those limit entries which have a
non-zero connection exceeded counter. For cumulative limits, this option is the only way to obtain
summary logs.
9.3.3 Analyzing IPFilter log events
The ipmon feature simplifies IPFilter log analysis and allows monitoring for specific log events.
When such an event is found, the rule configuration runs a shell command or logs the event to
syslog. The shell command can be an alert mailed to the administrator or an IPFilter command to
update filter rules. For more information, see the ipmon(4) manpage.
NOTE: This is available only on HP-UX 11i v3.
9.3.3.1 Syntax
ipmon -C <ipmon.conf file>
9.3 Logging IPFilter packets 63