HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)
reset to zero. The “connection exceeded counter" can increase once again, when a new set of
11 or more Telnet connections are made from any individual host.
You can also reset “the connection exceeded counter" to zero using the ipmon –r command.
Example 3:
pass return-rst in log limit quick proto tcp from host1-hostn to Server port = 23 keep
limit 10 cumulative
For the above rule, if 14 concurrent Telnet connections are done from any system in <host1-hostn> range to <Server>,
the 11
th
to 14
th
connections are blocked. A log is generated on the 11
th
connection, that is, an alert log is generated
when the "connection exceeded counter" changes from zero to one.
Example 4:
pass return-rst in log limit freq 3 quick proto tcp from host1-hostn to Server port
= 23 keep limit 10 cumulative
For the above rule, if 17 concurrent Telnet connections are done from < host1-hostn > range to <Server>, the 11
th
to
17
th
connections are blocked.
A log is generated on the 11
th
, 13
th
, and 16
th
connection, that is, the first time alert log (11
th
attempt) is always
generated when the "connection exceeded counter" changes from zero to one. Later, alert logs are generated when
"connection exceeded counter" is a multiple of the frequency specified in the rule. In this case it will be at 10+3, 10+6,
10+9
th
, and so on connection attempts (or "connection exceeded counter" reaches 3, 6, 9, and so on).
For cumulative rules, the “connection exceeded counter" is not reset to zero, when all the connections
related to a keep limit entry is closed. In example 4, since 17 concurrent Telnet connections are
done and the limit is 10, the value of “connection exceeded counter" will be 7. Now, if all the
Telnet connections from <host1-hostn> range to <Server> are closed and again 11 new connections
are made from <host1-hostn> range to <Server>, then “connection exceeded counter" will not be
1. It will be 8. A new alert log is not generated at this time.
You can reset the “connection exceeded counter" to zero using the ipmon –r command.
Cumulative limits are shared by different IP addresses and it is possible that IPFilter will not log
connections from some source IP addresses. For example, the initial connections might come from
ipaddr1 and the next 10 from ipaddr2. IPFilter will not log the connections from ipaddr1, but
will log the connections from ipaddr2, because one of the connections might be the eleventh
connection.
The format of an alert log record is:
date_time_stamp interface_name source_
ip,source_ port -> destination_IP,destination_port protocol TCP_flags
keep_limit limit_type configured_limit current_#_of
connections #_times_limit_exceeded log_freq packet_direction
Summary log
Summary log records are created when “connection exceeded counter” has increased and is reset
back to zero.
This happens in two cases:
• For both cumulative and non-cumulative rules, when the ipmon –r command is invoked.
• For non-cumulative rule, the “connection exceeded counter” is reset, when all the connections
for that keep limit entry is closed.
The following is an example of non-cumulative summary log:
17/03/2014 11:49:13.603598 LIMIT LOG 192.13.15.97,* -> 192.13.15.98 23 PR tcp Type 6 Configured 1 Current 0
Exceeded 1 @0:1 First Time 11:48:05.083598
The example summary log record is related to the following IP address range non-cumulative rule:
pass return-rst in log limit freq 1 quick proto tcp from
192.13.15.1-192.13.15.255 to any port = 23 keep limit 1
38 Configuring and loading dynamic connection allocation (DCA) rules