Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
IPFilter recognizes the new rule as an update to an existing rule. IPFilter uses the new connection
limit instead of the old connection limit. Limit entries made by the old rule are updated when a
new connection is processed. New connections are processed with the new rule.
Adding new keep limit rules
The following procedures describe how to dynamically add new rules to active rules files.
Adding a new individual keep limit rule
1. Add the new rule on the line before the old rule which the new rule is to replace.
2. Delete the old rule.
Adding a new subnet or IP address range rule
1. Add the new rule on the line before the old rule which the new rule is to replace.
2. Delete the old rule.
Limit entries made by the old rule are updated when a new connection is processed. New
connections are processed with the new rule.
To add a more specific subnet or IP address range rule, see the following section, Section
(page 41).
Integrating keep limit rules
The following procedure describes how to add a specific subnet or IP address range rule before
an existing general subnet or IP address range rule.
Add the new subnet or IP address range rule. Be sure to re-enter the old subnet or IP address range
rule exactly as it was entered before.
When a new connection matches an existing limit entry, the new connection will be processed by
the new subnet or IP address range rule. The subnet or IP address range can be cumulative or
noncumulative.
Extracting an individual rule from a subnet rule
To extract an individual rule from a subnet rule:
Add the new rule on the line before the subnet rule. Be sure the subnet or IP address range rule is
identical to the old rule.
When a new connection matches an existing limit entry, the new connection will be processed by
the new individual rule. The subnet or IP address range can be cumulative or noncumulative.
Enabling and disabling DCA
To use DCA, you must enable DCA mode. You can enable or disable DCA mode using the ipf
utility. If you want IPFilter to automatically enable DCA mode at system startup time, you must also
modify the /etc/rc.config.d/ipfconf file.
Enabling and disabling DCA using ipf
A single DCA mode exists for both IPv4 and IPv6 addresses. You can use the ipf command to
enable and disable DCA mode. You can also use ipf to query the state of DCA mode, and toggle
between enabled and disabled mode.
DCA mode is disabled by default. To enable DCA, use the following command:
ipf -m e
To disable DCA, use the following command:
ipf -m d
Enabling and disabling DCA 41