Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
61626364656667686970
S—IP subnet
C—Cumulative
U—Unknown IP
These limit entries are created through the default rule. See Section (page 35) for detailed
information on the different types of limit entries.
The Rule column displays the rule number that caused the creation of this limit entry. This
information can in turn be used to get per-rule statistics using the ipfstat -r command.
The third through sixth columns display IP-port pairs of the TCP connection.
The Limit column displays the configured limit specified in the keep limit rule.
The Current column displays the number of fully established connections under that limit entry.
The figure in the parenthesis indicates the number of times the configured limit was exceeded.
For example, the first entry shows that, even though the IP address 15.10.40.10 currently has
two active connections, it had exceeded the configured limit of 10 connections twice. These
numbers can serve as guide for adjusting and tuning the limit value for an IP address or IP
subnet.
The following is an example of the output information of the ipfstat -r group:rule option.
Limit Type Individual
Group:Rule Number @0:6
Configured Limit 7
Current connections 3
Limit Exceeded (#times) 33
TCP RSTs sent (#times) 33
In this example, rule number 6 created a limit entry of type Individual. The rule specifies a
connection limit of 7. There are three current connections using this rule. The limit has been exceeded
33 times. The rule included the return-rst keyword, so IPFilter sent a TCP Reset packet each
time an attempt was made to exceed the configured limit.
If the rule is deleted or switched to the inactive set, @(del) appears in the Group:Rule Number
field.
Testing rules with ipftest
The ipftest utility enables you to test a ruleset without loading it. You do not need superuser
capabilities to run ipftest.
The ipftest utility tests a ruleset using a set of packet descriptors that simulate network traffic.
The ipftest utility determines the action IPFilter would take for each packet and writes the packet
and the action to stdout.
When you generate simulated traffic, you can use example data obtained from a packet probe
or similar monitor. These packets can show the specifics of the traffic the subject system will
encounter in a production environment. If you are testing TCP keep state rules, include the TCP
flag values in the packet descriptor.
Syntax
ipftest [-6] -r ruleset_filename [-i input_filename]
Options
-6 Specifies that the rules tested are IPv6 filter rules.
-r ruleset_filename Specifies the file from which to read rules.
-i input_filename Specifies the file that contains packet descriptors. The default is
stdin.
64 Troubleshooting HP-UX IPFilter