HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

131

132

133

134

135

136

137

138

139

140

3. Dedicate a CPU to each LAN card, if possible. Avoid configuring one CPU to share an

application and a LAN, especially if the application is data or computationally intensive.

Use the HP-UX Processor Set (PSET) utility to separate applications and LAN processing.

4. If you are configuring an intermediate system, dedicate that system to HP-UX IPFilter. Do

not share the system with other standalone applications.

Rule Loading

When you load a large number of new rules to a ruleset, the system must search existing rulesets

for duplicate rules. This slows down the loading process.

For example, if there is no group rule and there are 5000 rules on the system, the system searches

through all 5000 rules to be sure there is no duplication before adding each new rule.

HP-UX IPFilter searches for duplicate rules by group. To speed the search process when loading

rules, divide the rules into groups. See “Improving Performance with Rule Groups ” (page 33)

for information on rule groups. HP recommends configuring a maximum of 5000 rules per group

and 5000 groups per system.

You do not need to flush and reload an entire ruleset to modify some rules within the ruleset.

Adding rules that already exist slows processing. If you are modifying a large ruleset, follow

these steps:

1. Find the difference between the new ruleset and the current ruleset using the diff command.

2. Delete the old rules using the ipf -rf command.

3. If your ruleset contains keep limit rules, modify the rules with the ipf -f command.

4. Add the new rules using the ipf -f command. If a rule must be in a specific place in the

ruleset, specify the rule number using @rule_number before the rule.

You can also modify an inactive ruleset and then switch the inactive ruleset for the active ruleset

with the ipf -s command.

Rule Configuration

To configure IPFilter rules for optimal system performance:

• Avoid using return-rst whenever possible.

From both security and performance perspectives, it is better for IPFilter to block packets

anonymously rather than returning a Reset packet with a known address.

• Avoid logging whenever possible.

Excessive logging can impact both storage and CPU performance on the system. Determine

the appropriate logging level for your environment.

• Use the quick keyword whenever possible.

The quick keyword stops the rule search for a packet a rule matches. Otherwise, IPFilter

searches the entire ruleset, which can impact performance if there are a large number of

rules.

• Use keep state or keep limit rules whenever possible.

Each connection that matches the keep state or keep limit rule searches through the

ruleset only once. The following packets for that connection will match the existing state

entry and not search the rest of the ruleset.

• Use group rules whenever possible.

For more information, see “Improving Performance with Rule Groups ” (page 33).

In the following example, a connection from 15.13.104.72 must search 102 rules before finding

a match.

pass in quick proto tcp from 15.13.2.1 to any port = 23 keep limit 1

pass in quick proto tcp from 15.13.2.2 to any port = 23 keep limit 2

(15.13.2.3 to 15.13.2.99)

140 Performance Guidelines