HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

The system host1 is allowed to open only 10 concurrent connections. IPFilter blocks any

subsequent connection requests. Since log limit is set, each additional connection attempt is

logged.

The log limit option generates two types of log records:

• Alert Log records—created when a source IP address attempts to exceed its configured

connection limit. Every time the connection limit is exceeded, IPFilter creates an alert log

record.

• Summary Log records—created when a limit entry ceases to exist after all the connections

for that limit entry have been closed. A summary log record summarizes the connection

activity for a particular source IP address.

The format of an alert log record is:

date_time_stamp interface_name source_ip,source_

port -> destination_IP,destination_port protocol TCP_flags

keep_limit limit_type configured_limit current_#_of

connections #_times_limit_exceeded log_freq packet_direction

The format of a summary log record is:

Date and time stamp, Source IP, Source port, Destination IP,

Destination Port, protocol, TCP flags keep limit, Limit type,

Configured Limit, Current # of connections, # times limit

exceeded, Rule #, Time limit the entry was created

Summary Logs and Cumulative Limits

You can write the summary log records for cumulative limits to the IPFilter log file using the

ipmon -r option. When ipmon -r is invoked, the summary log record is written and the

connection exceeded counter for each cumulative limit is set to zero.

NOTE: Unlike noncumulative limits, cumulative summary logs are not printed when all the

connections under a cumulative limit are closed.

The following is an example cumulative summary log:

06/02/2004 19:32:39.370000 LIMIT LOG 19.13.15.65-19.13.15.85,*

-> 0.0.0.0,23 PR ip Type 4 Cur Lim 1 Exceeded 1 @0:1 First Time

19:32:35.800000

The example log record was written for the following IP address range cumulative rule:

pass in log limit freq 1 quick proto tcp from

19.13.15.65-19.13.15.85 to any port = 23 keep limit 1 cumulative

In the example summary log, the source IP address displayed is actually the IP address range

specified in the rule. Wildcard IP addresses are shown as 0.0.0.0. The destination port

information is also printed from the rule. The other fields are similar to a noncumulative summary

record.

For further information, see “ipmon and DCA Logging” (page 85).

log limit freq: Log Frequency

Use the log limit freq num keyword to control the frequency at which alert log records are

logged.

For example, log limit is set to 10 and log limit freq is set to 3. The system begins tracking

exceeded connections at the eleventh connection. It logs every third exceeded connection, that

is the fourteenth, seventeenth, twentieth, and so on.

The log limit freq keyword can also be used with keep limit cumulative rules. For

example:

pass in log limit freq 5 quick proto tcp from 18.9.90.0/24 to any keep limit 10 cumulative

log limit freq: Log Frequency 51