Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
1. Enter the following command to add or modify rules in an inactive rules file:
ipf [-6] -If rules file
2. Run the following command to switch the active rules file with the inactive rules file you
modified:
ipf [-6] -s
When you modify an inactive rules file, then switch it with an active rules file, DCA processes new
connections according to the new rules file whether or not there are existing connection limit entries
in the limit table.
TIP: For performance-critical applications, HP recommends that you load rules into the inactive
list, then switch the inactive rules file with the active rules file.
Updating keep limit rules
The following sections describe procedures for updating keep limit rules.
Changing the current individual, subnet, or IP address range rule
You can dynamically lower the number of connections a keep limit rule allows without letting
DCA pass unwanted packets while it activates the updated rules. You can also increase the
connection limit for an IP address, subnet, or IP address range.
For example, your IPFilter system has many connections coming from a specific IP address range.
You have a keep limit rule configured for that IP address range. You want to lower the
connection limit in the rule so that DCA starts using the new limit immediately, before more packets
from the suspect IP address range can pass through.
To change the number of connections allowed by a keep limit rule:
Create a new rule identical to the current rule except for a different keep limit count.
When adding a new rule, IPFilter recognizes it as the update of an existing rule. Current limit
entries made by the old rule are updated with the new connection limit when a new connection is
processed. New connections are processed with the new rule.
For example, the original rule is:
pass in quick proto tcp from 14.13.45.0-14.13.45.255 to any keep limit 10 cumulative
To decrease the limit to 5, add the following new rule:
pass in quick proto tcp from 14.13.45.0-14.13.45.255 to any keep limit 5 cumulative
DCA detects a similar rule in the ruleset, but the limit count has changed. DCA updates the limit
count in the original rule and waits until the current number of connections drops to five. During
this period, DCA does not allow any new connections, but it does not terminate any existing
connections. When the number of active connections drops to five, DCA allows five or less
connections from the specified IP address range. If you increase a connection limit from a specified
IP address from 15 to 20, DCA detects the change and allows up to 20 connections from the
specified IP address.
If you increase the connection limit in a keep limit rule, DCA immediately updates the limit
count and controls connections based on the new higher connection limit.
Updating a subnet or IP address range rule
To update a subnet or IP address range keep limit rule:
Add the same rule, changing only the keep limit value. Be sure the subnet or IP address range
is identical to the old rule.
40 Configuring and loading dynamic connection allocation (DCA) rules