HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

Set the -n option to display the rule number next to each rule. The rule number is displayed as

@group:rule. This can help you determine which rules are incorrectly configured. For example:

# ipfstat -on

@0:1 pass out on lan0 from any to any

@0:2 block out on ppp0 from any to any

@0:3 pass out quick on ppp0 proto tcp/udp from 20.20.20.0/24 to any keep state keep frags

The following example uses the -s option to display the state table.

# ipfstat -s

281458 TCP

319349 UDP

0 ICMP

19780145 hits

5723648 misses

0 maximum

0 no memory

0 bkts in use

1 active

319349 expired

281419 closed

A TCP connection has one state entry. One fully established connection is represented by the 4/4

state. Other states are incomplete and will be documented later. The state entry has a time life

of 24 hours, which is the default for an established TCP connection. The time-to-live (TTL) counter

is decremented every second that the state entry is not used and will result in the connection

being purged if it is left idle.

The TTL counter is reset to 86400 whenever the state is used, ensuring the entry will not time

out while it is being actively used. 196 packets consisting of about 17KB worth of data have been

passed over this connection. The ports for the endpoints are 987 and 22; this state entry represents

a connection from 100.100.100.1 port 987 to 20.20.20.1 port 22. The numbers in the second line

are the TCP sequence numbers for this connection. These numbers help ensure that an attacker

cannot insert a forged packet into your session. The TCP window is also shown. The third line

is a synopsis of the implicit rule generated by the keep state code showing that this is an

inbound connection.

The ipfstat -sl option is often used in place of ipfstat -s to show held state information

in the kernel, if present. The ipfstat -sl gives detailed information for each state entry that

is active.

The following is an example of the output information of the ipfstat -sl option:

# ipfstat -sl

15.13.106.175 -> 15.13.137.135 ttl 872678 pass 0x500a pr 6 state 4/4

pkts 31 bytes 1564 57906 -> 23 22c0861c:712c2bd9 32768:32768

cmsk 0000 smsk 0000 isc 0000000000000000 s0 22c085e0/712c2b7f

sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1]

[\0\0\0\0\0\0\0\0\0\0

\0\0\0\0\0\0]

pass in quick keep state IPv4

pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0

pkt_security & ffff = 0, pkt_auth & ffff = 0

interfaces: in lan0[00000000480baf00] out -[0000000000000000]

The following is an example of the output information of the ipfstat -io option.

#ipfstat -sl

empty list for ipfilter(out)

1 pass in quick proto tcp from 15.13.106.175/32 to any keep state

The following is an example of the output information of the ipfstat -L option.

Current connections to limited IP addresses

Connection Type Active Limits

Individual 2

76 Troubleshooting HP-UX IPFilter