Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
5.9.4 Extracting an individual rule from a subnet rule
To extract an individual rule from a subnet rule:
Add the new rule on the line before the subnet rule. Be sure the subnet or IP address range rule is
identical to the old rule.
When a new connection matches an existing limit entry, the new connection will be processed by
the new individual rule. The subnet or IP address range can be cumulative or noncumulative.
5.10 Enabling and disabling DCA
To use DCA, you must enable DCA mode. You can enable or disable DCA mode using the ipf
utility. If you want IPFilter to automatically enable DCA mode at system startup time, you must also
modify the /etc/rc.config.d/ipfconf file.
5.10.1 Enabling and disabling DCA using ipf
A single DCA mode exists for both IPv4 and IPv6 addresses. You can use the ipf command to
enable and disable DCA mode. You can also use ipf to query the state of DCA mode, and toggle
between enabled and disabled mode.
DCA mode is disabled by default. To enable DCA, use the following command:
ipf -m e
To disable DCA, use the following command:
ipf -m d
To query the current DCA setting, use the following command:
ipf -m q
You can toggle between being enabled or disabled by using the following command:
ipf -m t
5.10.2 Configuring IPFilter to enable DCA at system startup
To configure IPFilter to automatically enable DCA at system startup:
1. Open /etc/rc.config.d/ipfconf, the IPFilter startup configuration file.
2. Choose one of the following:
Set the DCA_START flag to 1 to enable DCA.
Set the DCA_START flag to 0 to disable DCA. This is the default setting.
NOTE: When there are no keep limit rules and no connection allocation configured, HP
recommends that you disable DCA.
5.11 Using IPFilter utilities with DCA
The IPFilter utilities support subcommands to collect data about the connections that are being
controlled. This data includes the source and destination IP address, allocated number of
connections, number of active connections, and number of times the allocated quota of connections
was exceeded. These subcommands are as follows:
The ipf utility. For more information, see Section 10.1 (page 68).
ipf -Q interface_name
ipf -E interface_name
ipf -D interface_name
ipf -m option
40 Configuring and loading dynamic connection allocation (DCA) rules