Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
Limiting Connections by Subnet
The following rule is an example of a DCA rule that limits connections by IP subnet:
pass in quick proto tcp from 192.168.5.0/24 to any port = 25 keep limit 4
This rule limits the maximum concurrent TCP connections to four from any individual host in
subnet 192.168.5.0/24 to port 25 of any host.
Limiting Connections by IP Address Range
The following rule is an example of a DCA rule that limits connections for each IP address within
an IP address range:
pass in quick proto tcp from 10.10.10.1-10.10.20.1 to any port = 25 keep limit 15
This rule allows 15 connections from each IP address within the IP address range of
10.10.10.1-10.10.20.1.
Default Individual Connection Limits
Use the following syntax to create default individual connection limits:
pass [return-rst] in proto tcp from any to any [port = port_num] keep limit limit_num
For example:
pass in proto tcp from any to any port = 25 keep limit 5
This rule specifies a connection limit of 5 for all hosts when trying to connect to port 25.
IMPORTANT: The default individual connection limit must be the last rule in the configuration
file.
return-rst: Returning RESET Packets
You can use the return-rst keyword in a DCA rule to send a TCP Reset packet to the TCP
peer when IPFilter receives a connection request and the number of connections for the rule
exceeds the limit. Using the following rule, if the system has five SMTP connections established
from IP address 10.2.2.2 and receives a connection request for a sixth connection from that address,
IPFilter will send a TCP Reset packet to the TCP peer.
pass return-rst in quick proto tcp from 10.2.2.2 to any port = 25 keep limit 5
cumulative: Limiting Cumulative Connections
Use the cumulative keyword at the end of a DCA rule to limit connections using a pooled
cumulative limit for all source addresses in a subnet or address range. For example, the following
rule limits the total concurrent connections to 15 from all hosts in subnet 10.10.10.0/24 to port 25:
pass in quick proto tcp from 10.10.10.0/24 to any port = 25 keep limit 15 cumulative
If you do not specify a destination port, IPFilter maintains a separate limit count for each
destination port. The following rule allows a maximum of 15 concurrent connections from subnet
192.168.7.0/24 to each TCP port on the local system. Using this rule, the system can have 15
concurrent connections to the SMTP service, 15 concurrent connections to the HTTP service, and
15 concurrent connections to the telnet service, and so on.
pass in quick proto tcp from 10.10.10.0/24 to any keep limit 15 cumulative
log limit: Logging Exceeded Connections
Use the log limit option to log each connection that exceeds a configured limit in a keep
limit rule. For example:
pass in log limit quick proto tcp from host1 to Server keep limit 10
46 Configuring and Loading Dynamic Connection Allocation (DCA) Rules