Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
DCA Rule Syntax and Keywords
The basic DCA syntax is as follows:
pass in quick proto tcp from source_ip|any to dest_ip|any [port =
port_num] keep limit limit_num
The keep limit keywords indicate that this is a DCA rule.
In addition, you can use the return-rst keyword in a DCA rule, and the following keywords
that are specific to DCA:
cumulative
log limit
log limit freq
The syntax for using these keywords is as follows:
pass [return-rst] in [log limit [freq num]] quick proto tcp from
source_ip|any to dest_ip|any [port = port_num] keep limit limit_num
[cumulative]
The DCA keywords are described in the sections that follow.
DCA Rule Conditions
The keep limit keywords indicate that the rule is a DCA rule. In addition, a DCA rule must
conform to the following conditions:
The rule must be a quick rule.
The rule must be an in rule.
The rule can be used only with proto tcp.
The log limit and log limit freq keywords can only be used with the keep limit
rule.
The source port must be a wildcard (not specified).
The connection limit specified in a keep limit rule must be a non-zero, positive number.
You cannot specify keep limit 0.
You cannot use the keep state keywords and the keep limit keywords in the same
rule.
IPFilter creates a state table entry for each TCP connection that matches a DCA rule. If the
connection exceeds the configured limit, IPFilter deletes the state table entry and refuses the
connection request. If IPFilter cannot add an entry to the state table for a connection request,
it will allow the connection request to pass. See “Monitoring and Allocating Memory for
DCA Data” (page 54) for more information.
keep limit: Limiting Connections
Use the keep limit keyword to limit the number of connections made to an IPFilter system
at a given time. Connections can be limited by IP address, subnet, cumulative limit of connections,
and a default individual limit.
Limiting Connections by IP Address
The following rule is an example of a DCA rule that limits connections by IP address:
pass in quick proto tcp from 10.2.2.2 to any port = 25 keep limit 5
The example rule limits the maximum concurrent connections to five from IP address 10.2.2.2
to the SMTP port 25 of any host. If the limit is exceeded, IPFilter will block additional connection
requests from 10.2.2.2.
DCA Rule Syntax and Keywords 45