Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
Cumulative limits are shared by different IP addresses and it is possible that IPFilter will not log
connections from some source IP addresses. For example, the initial connections might come from
ipaddr1 and the next 10 from ipaddr2. IPFilter will not log the connections from ipaddr1, but
will log the connections from ipaddr2, because one of the connections will be the eleventh
connection.
5.9 Loading and modifying DCA rules
The following sections describe how to load and modify DCA rules when HP-UX IPFilter is running.
NOTE: HP recommends configuring a redundant rule (such as pass in all) in all DCA rule
files. IPFilter does not process packets without a rule.
To load DCA rules, use the ipf utility to read the new rules from a file:
ipf -f rules_file
To load IPv6 DCA rules, specify the -6 option:
ipf -6-f rules_file
NOTE: When you load a ruleset, the new rules normally affect all matching packets immediately,
including packets for established connections. However, IPFilter creates state table entries for
packets matching DCA rules, and if the DCA rule is noncumulative, IPFilter continues to apply the
action in the state table for subsequent packets that match the state table entry until the state table
entry times out or is deleted.
To force a new rule to take effect immediately, follow the procedures described in Section 5.9.1
(page 38). Alternately, use the following procedure to modify an inactive rules file and switch it
with the active rules file:
1. Enter the following command to add or modify rules in an inactive rules file:
ipf [-6] -If rules file
2. Run the following command to switch the active rules file with the inactive rules file you
modified:
ipf [-6] -s
When you modify an inactive rules file, then switch it with an active rules file, DCA processes new
connections according to the new rules file whether or not there are existing connection limit entries
in the limit table.
TIP: For performance-critical applications, HP recommends that you load rules into the inactive
list, then switch the inactive rules file with the active rules file.
5.9.1 Updating keep limit rules
The following sections describe procedures for updating keep limit rules.
5.9.1.1 Changing the current individual, subnet, or IP address range rule
You can dynamically lower the number of connections a keep limit rule allows without letting
DCA pass unwanted packets while it activates the updated rules. You can also increase the
connection limit for an IP address, subnet, or IP address range.
For example, your IPFilter system has many connections coming from a specific IP address range.
You have a keep limit rule configured for that IP address range. You want to lower the
connection limit in the rule so that DCA starts using the new limit immediately, before more packets
from the suspect IP address range can pass through.
To change the number of connections allowed by a keep limit rule:
38 Configuring and loading dynamic connection allocation (DCA) rules