HP-UX IPFilter Version 16 Administrator's Guide
pass in quick proto tcp from 15.13.2.100 to any port = 23 keep limit 100
pass in quick proto tcp from 15.13.103.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.104.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.105.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.106.0/24 to any port = 23 keep limit 500
pass in log limit freq 20 quick proto tcp from any to any port = 23 keep limit 4
If the ruleset in the previous example is modified to use the group keyword, it is only
necessary for the packet to search four rules before finding a match. For example:
pass in quick proto tcp from 15.13.2.1-15.13.2.100 to any port = 23 head 1
pass in quick proto tcp from 15.13.2.1 to any port = 23 keep limit 1 group 1
pass in quick proto tcp from 15.13.2.2 to any port = 23 keep limit 2 group 1
.
(15.13.2.3 to 15.13.2.99)
.
pass in quick proto tcp from 15.13.2.100 to any port = 23 keep limit 100 group 1
pass in quick proto tcp from 15.13.103.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.104.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.105.0/24 to any port = 23 keep limit 500
pass in quick proto tcp from 15.13.106.0/24 to any port = 23 keep limit 500
pass in log limit freq 20 quick proto tcp from any to any port = 23 keep limit 4
• Consolidate rules whenever possible, to minimize searching. For example:
pass in quick proto tcp from 15.13.103.72 to any keep limit 80
pass in quick proto tcp from 15.13.103.0-15.13.103.6 to any keep limit 44
pass in quick proto tcp from 15.13.103.7 to any keep limit 33
pass in quick proto tcp from 15.13.103.8 to any keep limit 33
pass in quick proto tcp from 15.13.103.9 to any keep limit 33
pass in quick proto tcp from 15.13.103.10-15.13.103.255 to any keep limit 44
pass in quick proto tcp from 15.13.104.0/24 to any keep limit 44
pass in quick proto tcp from 15.13.105.0/24 to any keep limit 44
pass in quick proto tcp from 15.13.106.0/24 to any keep limit 44
pass in quick proto tcp from 15.13.107.0-15.13.107.78 to any keep limit 44
The previous ruleset can be condensed to the following:
pass in quick proto tcp from 15.13.103.0-15.13.107.78 to any keep limit 33 head 1
pass in quick proto tcp from 15.13.103.72 to any keep limit 80 group 1
pass in quick proto tcp from !15.13.103.7-15.13.103.9 to any keep limit 44 group 1
• For keep limit rules, avoid the cumulative rule whenever possible.
If a large number of connections have the same source IP, destination IP, and destination
port, system performance is impacted by cumulative rules. Non-cumulative keep limit
rules keep a cache based on the source IP, destination IP, and destination port. Cumulative
rules do not keep a cache based on these parameters.
Traffic
To manage IPFilter for optimal system performance:
• Keep the state entries at a manageable level. A large number of state entries requires many
CPU cycles to process them. Too many state entries can cause noticeable performance
degradation on a system.
• Keep packet searches on rulesets as short as possible. On a 750-MHz PA-RISC system, a
1000 to 2000 rule search is acceptable. If IPFilter traffic is light, a 5000 rule search is the
recommended maximum. The optimal number of rules is dependent on your specific
operating environment, including factors such as type of rules and amount of traffic.
• Keep IPFilter traffic at a manageable level. Do not run at peak load all the time. Keep the
average CPU usage rate at around 60% to accommodate unexpected peak loads. At peak
load times the system compensates with schemes such as dropping packets. However, it is
never a good idea to push a system beyond its intended capacity.
For example, the normal region in Figure E-2 shows normal system operation. The system should
not operate in the marginal region for a long period of time. Configure your system to raise an
alarm if the system reaches the critical level. Define these criteria based your operating
environments.
Traffic 141