HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3
You do not need to flush and reload an entire ruleset to modify some rules within the ruleset. Adding
rules that already exist slows processing. If you are modifying a large ruleset, follow these steps:
1. Find the difference between the new ruleset and the current ruleset using the diff command.
2. Delete the old rules using the ipf -rf command.
3. If your ruleset contains keep limit rules, modify the rules with the ipf -f command.
4. Add the new rules using the ipf -f command. If a rule must be in a specific place in the
ruleset, specify the rule number using @rule_number before the rule.
You can also modify an inactive ruleset and then switch the inactive ruleset for the active ruleset
with the ipf -s command.
E.3 Rule configuration
To configure IPFilter rules for optimal system performance:
• Avoid using return-rst whenever possible.
From both security and performance perspectives, it is better for IPFilter to block packets
anonymously rather than returning a Reset packet with a known address.
• Avoid logging whenever possible.
Excessive logging can impact both storage and CPU performance on the system. Determine
the appropriate logging level for your environment.
• Use the quick keyword whenever possible.
The quick keyword stops the rule search for a packet a rule matches. Otherwise, IPFilter
searches the entire ruleset, which can impact performance if there are a large number of rules.
• Use keep state or keep limit rules whenever possible.
Each connection that matches the keep state or keep limit rule searches through the
ruleset only once. The following packets for that connection will match the existing state entry
and not search the rest of the ruleset.
• Use group rules whenever possible.
For more information, see Section 3.7 (page 27).
In the following example, a connection from 15.13.104.72 must search 102 rules before
finding a match.
pass in quick proto tcp from 15.13.2.1 to any port = 23 keep limit 1
pass in quick proto tcp from 15.13.2.2 to any port = 23 keep limit 2
.
(15.13.2.3 to 15.13.2.99)
.
pass in quick proto tcp from 15.13.2.100 to any port = 23 keep limit 100
pass in quick proto tcp from 15.13.103.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.104.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.105.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.106.0/24 to any port = 23 keep limit 500
pass in log limit freq 20 quick proto tcp from any to any port = 23 keep limit 4
If the ruleset in the previous example is modified to use the group keyword, it is only necessary
for the packet to search four rules before finding a match. For example:
pass in quick proto tcp from 15.13.2.1-15.13.2.100 to any port = 23 head 1
pass in quick proto tcp from 15.13.2.1 to any port = 23 keep limit 1 group 1
pass in quick proto tcp from 15.13.2.2 to any port = 23 keep limit 2 group 1
.
(15.13.2.3 to 15.13.2.99)
.
pass in quick proto tcp from 15.13.2.100 to any port = 23 keep limit 100 group 1
pass in quick proto tcp from 15.13.103.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.104.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.105.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.106.0/24 to any port = 23 keep limit 500
pass in log limit freq 20 quick proto tcp from any to any port = 23 keep limit 4
E.3 Rule configuration 119