Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
The ipfstat utility. For more information, see Section 9.1 (page 54).
ipfstat -L
ipfstat -vL
ipfstat -r group:rule
The ipmon utility. For more information, see Section 9.3.2 (page 62).
ipmon -r
DCA also provides logging records that can serve as alert messages or as a summary of the
connections made from a specific IP address. You can use the log records to identify IP addresses
or subnets that you want to limit or block.
5.11.1 keep limit rules and rule hits
Each time IPFilter processes a packet that matches a rule, IPFilter increments the hit count for the
matching rule, whether or not the rule is the final rule (the rule used). For example:
A packet matches a non-quick rule. If another rule match is later found on the list, IPFilter
increments the hit count for both matching rules.
A packet matches a rule that is a group head. If another matching rule is found within the
group, IPFilter increments the hit count for both matching rules.
You can display rule hit counts by using the ipfstat -ioh command. This command is useful
as a troubleshooting mechanism, along with ipfstat -sl and ipfstat-vL, which enables
connections to be examined in realtime. Lastly, logging can be used to analyze history for past
connections.
5.11.1.1 Limits and hit counts
Configuring rules with cumulative and noncumulative limits affects rule hit counts. IPFilter registers
rule hits differently for cumulative and noncumulative limits. A rule hit is usually registered only
once for noncumulative limits. This is because IPFilter creates a limit entry when the connection
matches a noncumulative keep limit rule and subsequent connections are controlled by that limit
entry.
For cumulative limits, each new connection registers a rule hit and increments the rule hit count
because cumulative limit connections require a rule walk for each new connection.
5.12 Monitoring and allocating memory for DCA data
IPFilter allocates entries in the state table for TCP connections that use a DCA rule. In addition,
IPFilter keeps a limit table that counts the state table entries for a DCA rule. The amount of memory
allocated for the state table is determined by the kernel tunable parameter fr_statemax. In most
deployments, the default value is sufficient, but if you set this value too low and IPFilter is unable
to create a state table entry for a TCP connection that uses a DCA rule, IPFilter will allow packets
for the connection to pass, even if the connection would exceed the limit in the DCA rule.
The maximum counter reported by the ipfstat -s command reports the number of times IPFilter
attempted to create a state table entry but could not because the state table contained the maximum
number of entries.
In addition, the number of state table entries needed for TCP connections is affected by the kernel
tunable parameter fr_tcpidletimeout. For information about modifying these parameters,
see Section C.3 (page 113) and Section C.2 (page 112).
5.12 Monitoring and allocating memory for DCA data 41