HP-UX IPFilter V18.10 Release Notes for HP-UX 11i v3
5 Issues and solutions
• Using the pps option with keep state
The rate base filtering option pps is only applied to the first occurrence of the packet for which
state gets stored. That is, after a state entry is added into the state table, rate based filtering
does not apply.
For example:
pass in quick proto tcp from any to 10.2.2.2/32 port = 80 flags S keep state pps 10
In the above example, rate based filtering is applied on the incoming connection (SYN packet)
only. That is, not more than 10 TCP connections to 10.2.2.2 on port 80 are accepted per
second. After the state table is created by SYN packets for those connections, the subsequent
packets are not rate based filtered.
• Correction to HP-UX IPFilter V18.0 Administrator Guide
Section 3.5.6 of the HP-UX IPFilter V18.0 Administrator Guide states that you can use keep
state to block the first packet in a TCP, UDP, or ICMP session. This is incorrect. The block
rule with keep state does not create any state table entry because it can exhaust the state
table entries.
• The startup script for HP-UX IPFilter automatically disables the
ip_forward_directed_broadcasts parameter. This keeps the system from being
subjected to broadcast-storm attacks that can bring down a network.
• If rules are configured using stdin, rule numbers are not assigned properly to individual rules
on entering Ctrl-c at the end. Sample output:
# ipf -f-
pass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32
pass in on lan1 from 15.154.118.192/32 to 16.181.168.207/32
Ctrl-c
# ipfstat -iohn
empty list for ipfilter(out)
0 @0:0 pass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32
0 @0:0 pass in on lan1 from 15.154.118.192/32 to 16.181.168.207/32
To load the rules properly, enter end of file control character at the end of the rules. Sample
output:
# ipf -f-
pass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32
pass in on lan1 from 15.154.118.192/32 to 16.181.168.207/32
Ctrl-d
# ipfstat -iohn
empty list for ipfilter(out)
0 @0:1 pass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32
0 @0:2 pass in on lan1 from 15.154.118.192/32 to 16.181.168.207/32
• l4check rules
l4check adds or deletes rules with only one IP address. RDR rules with only one IP
address are ignored.
◦
◦ l4check does not have the option to add rules with sticky keyword.
• Excluding nodes in ippool using "!" does not work for hash type pools.
# cat ippool.conf
table role = ipf type = hash number = 10
{192.168.1.1/24; ! 192.168.1.88/32;};
10 Issues and solutions