Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
In the example summary log, the 192.13.15.97 is the source IP, 192.13.15.98 is the destination
IP, 23 is the port. Type 6 indicates that limit rule is a non-cumulative rule applied on a subnet.
(Type 2 and Type 8 can also appear in the logs, which indicates a non-cumulative limit rule applied
on individual IP address or "any"). The Configured 1 indicates that the rule limit configured is
1. The Current is showing zero, since the rule is generated after all the connections from the source
is currently closed after which the summary log got generated. The Exceeded 1 indicates that
one connection tried to exceed the configured limit.
The time field appearing after the “First time” field in the summary log, is the time when the
connection exceeded counter” was originally set from zero to one. The time along with the
connection exceeded counter” is reset to zero when summary log is printed. Then once again if
connection exceeded counter” is increased from zero to one, the time gets set.
The following is an example of cumulative summary log (generated after issuing ipmon -r
command):
17/03/2014 11:50:33.713598 LIMIT LOG 192.13.15.1-192.13.15.255,* -> 0.0.0.0,23 PR tcp Type 4 Configured 1
Current 1 Exceeded 1 @0:1 First Time 11:50:25.373598
The example summary log record is related to the following IP address range cumulative rule:
pass return-rst in log limit freq 1 quick proto tcp from
192.13.15.1-192.13.15.255 to any port = 23 keep limit 1 cumulative
In the example summary log, the source IP address displayed is actually the IP address range
specified in the rule. Wildcard IP addresses are shown as 0.0.0.0. The destination port information
is also printed from the rule. "Type 4" indicates a cumulative rule. The other fields are similar to
a non-cumulative summary record.
For more information, see ipmon and DCA logging” (page 70) section.
The format of a summary log record is:
Date and time stamp, Source IP, Source port, Destination IP,
Destination Port, protocol, TCP flags keep limit, Limit type,
Configured Limit, Current # of connections, # times limit
exceeded, Rule #, Time limit the entry was created
Loading and modifying DCA rules
The following sections describe how to load and modify DCA rules when HP-UX IPFilter is running.
NOTE: HP recommends configuring a redundant rule (such as pass in all) in all DCA rule
files. IPFilter does not process packets without a rule.
To load DCA rules, use the ipf utility to read the new rules from a file:
ipf -f rules_file
To load IPv6 DCA rules, specify the -6 option:
ipf -6-f rules_file
NOTE: When you load a ruleset, the new rules normally affect all matching packets immediately,
including packets for established connections. However, IPFilter creates state table entries for
packets matching DCA rules, and if the DCA rule is noncumulative, IPFilter continues to apply the
action in the state table for subsequent packets that match the state table entry until the state table
entry times out or is deleted.
To force a new rule to take effect immediately, follow the procedures described in Section
(page 40). Alternately, use the following procedure to modify an inactive rules file and switch it
with the active rules file:
Loading and modifying DCA rules 39