Manualshelf

HP-UX IPFilter v18.21 Release Notes HP-UX 11i v3 (761996-001, January 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
891011121314151617
5 Issues and solutions
Using the pps option with keep state
The rate base filtering option pps is only applied to the first occurrence of the packet for which
state gets stored. That is, after a state entry is added into the state table, rate based filtering
does not apply.
For example:
pass in quick proto tcp from any to 10.2.2.2/32 port = 80 flags S keep state pps 10
In the above example, rate based filtering is applied on the incoming connection (SYN packet)
only. That is, not more than 10 TCP connections to 10.2.2.2 on port 80 are accepted per
second. After the state table is created by SYN packets for those connections, the subsequent
packets are not rate based filtered.
The startup script for HP-UX IPFilter automatically disables the
ip_forward_directed_broadcasts parameter. This keeps the system from being
subjected to broadcast-storm attacks that can bring down a network.
If rules are configured using stdin, rule numbers are not assigned properly to individual rules
on entering Ctrl-c at the end. Sample output:
# ipf -f-
pass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32
pass in on lan1 from 15.154.118.192/32 to 16.181.168.207/32
Ctrl-c
# ipfstat -iohn
empty list for ipfilter(out)
0 @0:0 pass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32
0 @0:0 pass in on lan1 from 15.154.118.192/32 to 16.181.168.207/32
To load the rules properly, enter end of file control character at the end of the rules. Sample
output:
# ipf -f-
pass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32
pass in on lan1 from 15.154.118.192/32 to 16.181.168.207/32
Ctrl-d
# ipfstat -iohn
empty list for ipfilter(out)
0 @0:1 pass in on lan1 from 15.154.118.191/32 to 16.181.168.207/32
0 @0:2 pass in on lan1 from 15.154.118.192/32 to 16.181.168.207/32
l4check rules
l4check adds or deletes rules with only one IP address. RDR rules with only one IP
address are ignored.
l4check does not have the option to add rules with sticky keyword.
Excluding nodes in ippool using "!" does not work for hash type pools.
# cat ippool.conf
table role = ipf type = hash number = 10
{192.168.1.1/24; ! 192.168.1.88/32;};
#ippool -f ippool.conf
syntax error error at "!", line 2
11