Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
21222324252627282930
Processing Options: Logging Packets, Optimizing Rule Processing, and
Specifying Interfaces
IPFilter supports options to perform the following processing options:
Log packet information (log)
If the filter matches the packet, immediately apply the rule action and stop searching for
rules (quick)
Apply the rule only to the specified interface (on)
Option Order
If you specify processing options, you must insert them after the in or out keyword:
block|pass in|out [processing_options] [proto protocol] ip_selector
If you specify more than one processing option, you must specify them in the following order:
1. log
2. quick
3. on
For example:
block in log quick on lan0 from 20.20.20.0/24 to any
log: Logging Packets
The log keyword directs IPFilter to log incoming and outgoing packets. Logging enables you
to determine if your IPFilter system is being attacked, and records information about the packets.
You can use the log keyword with any IPFilter rule.
TIP: In most cases, it is not necessary to log every passed packet. Administrators often log only
blocked packets, and, in some cases, log only selected blocked packets. HP recommends that
you select the most important rules or the rules that are most likely to block attacks on your
system and log only those rules. Indiscriminate logging can clutter a log file and make it difficult
to detect notable events.
For example, if you want to log blocked packets from a specific subnet, such as 20.20.20.0/24,
use the following rule:
block in log from 20.20.20.0/24 to any
NOTE: You can use the log keyword with several other options to control and enhance logging
functionality and performance. See “Logging IPFilter Packets” (page 82) for more information.
quick: Optimizing IPFilter Rules Processing
By default, HP-UX IPFilter evaluates the entire ruleset for each packet and selects the last rule
that matches the packet. The quick keyword enables you to control rule processing and reduce
the overhead of running IPFilter on your system. If IPFilter matches a packet to a rule that contains
the quick keyword, IPFilter immediately selects that rule without continuing to evaluate the
other rules in the ruleset. For example, a ruleset contains the following rules:
block in quick from 10.10.10.66 to any
pass in all
If the system receives a packet from the 10.10.10.66, IPFilter matches the packet to the first rule.
Because the first rule includes the quick keyword, IPFilter does not evaluate the second rule in
the ruleset and uses the first rule.
28 Configuring and Loading IPv4 Filter Rules