Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
To query the current DCA setting, use the following command:
ipf -m q
You can toggle between being enabled or disabled by using the following command:
ipf -m t
Configuring IPFilter to enable DCA at system startup
To configure IPFilter to automatically enable DCA at system startup:
1. Open /etc/rc.config.d/ipfconf, the IPFilter startup configuration file.
2. Choose one of the following:
Set the DCA_START flag to 1 to enable DCA.
Set the DCA_START flag to 0 to disable DCA. This is the default setting.
NOTE: When there are no keep limit rules and no connection allocation configured, HP
recommends that you disable DCA.
Using IPFilter utilities with DCA
The IPFilter utilities support subcommands to collect data about the connections that are being
controlled. This data includes the source and destination IP address, allocated number of
connections, number of active connections, and number of times the allocated quota of connections
was exceeded. These subcommands are as follows:
The ipf utility. For more information, see Section (page 74).
ipf -Q interface_name
ipf -E interface_name
ipf -D interface_name
ipf -m option
The ipfstat utility. For more information, see Section (page 60).
ipfstat -L
ipfstat -vL
ipfstat -r group:rule
The ipmon utility. For more information, see Section (page 68).
ipmon -r
DCA also provides logging records that can serve as alert messages or as a summary of the
connections made from a specific IP address. You can use the log records to identify IP addresses
or subnets that you want to limit or block.
keep limit rules and rule hits
Each time IPFilter processes a packet that matches a rule, IPFilter increments the hit count for the
matching rule, whether or not the rule is the final rule (the rule used). For example:
A packet matches a non-quick rule. If another rule match is later found on the list, IPFilter
increments the hit count for both matching rules.
A packet matches a rule that is a group head. If another matching rule is found within the
group, IPFilter increments the hit count for both matching rules.
42 Configuring and loading dynamic connection allocation (DCA) rules