Manualshelf

HP-UX IPFilter Version 15.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
81828384858687888990
Field 3—Rule group number: rule number of the rule used for the packet, in the format
@group_number:rule_number
Field 4—Action; blocked (b) or passed (p) packet
Field 5—Packet source, in the format ip_address,port
Field 6—Packet destination, in the format ip_address,port
Field 7 and 8—Protocol
Field 9—Packet size
Field 10—Flags set on packet
Use the ipfstat -in command to determine the text of the rule that created the log entry. In
the previous example, you would use this command to look at rule 2 in rule group 0 (@0:2).
IPFilter sometimes logs a packet matching a keep state rule in the normal (non-state) IPFilter
log file. This occurs when a packet matching a keep state rule has the same sequence number
as a packet matching a normal (non-state) rule that has logging enabled. IPFilter. This may also
occur when a packet matching a keep state rule is the last packet in a stateful connection and
arrives after IPFilter has deleted the state table entry.
Example:
#ipfstat -n
12:46:12.470951 lan0 @0:1 S 20.20.20.254 -> 255.255.255.255 PR icmp len 20 9216 icmp 9/0
This is a ICMP router discovery broadcast packet. It is indicated by the ICMP type 9/0.
ipmon and DCA Logging
DCA logging uses different device files than normal IPFilter logging. The DCA module writes
alert log records to /dev/ipl and writes summary log records to /dev/iplimit. To view the
summary records, use ipmon with the -A option. Using ipmon -A prints a summary log for a
limit entry before the entry being removed from the limit table.
Example:
ipmon -A /dev/iplimit > $LOGDIR/limit_summary.log &
You can use ipmon -r to print the summary records to the log file for all existing limit entries
that are active. For example, you have the following rule configured:
pass in log limit quick proto tcp from host1 to Server keep limit 10
If host1 creates 70 connections, then 10 connections are let through and remaining 60 are blocked,
which is the block count. When ipmon -r is called, a summary record is logged to the summary
log records and the block count is set to 0. This is useful in a case where host1 created many
connections and has a large block count, but subsequently has connections that are within the
connection limit.
ipmon -r works only on active limit entries. If there are no limit entries, ipmon -r does not
log any Summary Log records. Summary logs are printed only for those limit entries which have
a non-zero connection exceeded counter. For cumulative limits, this option is the only way to
obtain summary logs.
Troubleshooting Tips
This section describes how to troubleshoot an HP-UX IPFilter configuration. It provides
information about possible problems that might occur along with the steps needed to resolve
them.
HP-UX IPFilter is not filtering packets (it passes/allows all network packets).
On HP-UX 11i v3 systems, verify that HP-UX IPFilter is enabled by entering the following
command:
ipfilter -q
Troubleshooting Tips 85