HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)
cumulative rules) basis. The current value of the "connection exceeded counter" can be identified
by ipfstat -Lv command.
Example 1:
pass return-rst in log limit quick proto tcp from host1-hostn to Server port = 23 keep
limit 10
For the above rule, if 12 concurrent Telnet connections are done from <host1> to <Server> , the 11
th
and 12
th
connections are blocked. If 13 concurrent Telnet connections are done from <host 2> to <Server> the 11
th
, 12
th
, and
13
th
connections are blocked. The output of ipfstat -Lv command will be:
$ ipfstat -Lv
Type Rule Src IP Src Port Dest IP Dest Port Limit Current
S @0:1 host1 * Server 23 10 10(2)
S @0:1 host2 * Server 23 10 10(3)
Here, counter (2) and (3) indicates "connection exceeded counter".
Example 2:
pass return-rst in log limit quick proto tcp from host1-hostn to Server port = 23 keep
limit 10 cumulative
For the above rule, if 14 concurrent Telnet connections are done from any system in <host1-hostn> range to <Server>
, the 11
th
to 14
th
connection is blocked and the output of ipfstat -Lv command will be:
$ ipfstat -Lv
Type Rule Src IP Src Port Dest IP Dest Port Limit Current
C @0:1 host1-hostn * Server 23 10 10(4)
Here, counter (4) indicates "connection exceeded counter".
The "connection exceeded counter" is used to generate logs related to “keep limit” rules.
The log limit option generates two types of log records:
• Alert log
• Summary log
Alert log
Alert Log records are created when a source IP address attempts to exceed the configured connection
limit.
Example 1:
pass return-rst in log limit quick proto tcp from host1-hostn to Server port = 23 keep
limit 10
For the above rule, if 12 concurrent Telnet connections are done from <host1> to <Server>, the 11
th
and 12
th
connections
are blocked.
A log is generated on the 11
th
connection, that is, an alert log is generated when the "connection exceeded counter"
changes from zero to one.
Example 2:
pass return-rst in log limit freq 3 quick proto tcp from host1-hostn to Server port
= 23 keep limit 10
For the above rule, if 17 concurrent Telnet connections are done from <host1> to <Server>, the 11
th
to 17
th
connections
are blocked.
A log is generated on the 11
th
, 13
th
, and 16
th
connection, that is, the first time alert log (11
th
attempt) is always
generated when the "connection exceeded counter" changes from zero to one. Later, alert logs are generated when
"connection exceeded counter" is a multiple of the frequency specified in the rule. In this case it will be at 10+3, 10+6,
10+9
th
, and so on connection attempts (or "connection exceeded counter" reaches 3, 6, 9, and so on).
For non-cumulative rules, the “connection exceeded counter" are reset to zero when all the
connections related to a keep limit entry is closed, that is, for the above two examples, when all
the Telnet connections from <host1> to <Server> is closed, the “connection exceeded counter" is
Logging exceeded connections: log limit and log limit freq 37