HP-UX IPFilter Version 16 Administrator's Guide
— ipf -D interface_name
— ipf -m option
• “Viewing IPFilter Statistics and Active Rules with ipfstat” (page 70).
— ipfstat -L
— ipfstat -vL
— ipfstat -r group:rule
• “Using ipmon to View IPFilter Log Entries” (page 80).
— ipmon -r
DCA also provides logging records that can serve as alert messages or as a summary of the
connections made from a specific IP address. You can use the log records to identify IP addresses
or subnets that you want to limit or block.
keep limit Rules and Rule Hits
Each time IPFilter processes a packet that matches a rule, IPFilter increments the hit count for
the matching rule, whether or not the rule is the final rule (the rule used). For example:
• A packet matches a non-quick rule. If another rule match is later found on the list, IPFilter
increments the hit count for both matching rules.
• A packet matches a rule that is a group head. If another matching rule is found within the
group, IPFilter increments the hit count for both matching rules.
You can display rule hit counts using the command ipfstat -ioh. This command is useful
as a troubleshooting mechanism, along with ipfstat -sl and ipfstat-vL, which allow
connections to be examined in realtime. And lastly, logging can be used to analyze history for
past connections.
Limits and Hit Counts
Configuring rules with cumulative and noncumulative limits affects rule hit counts. IPFilter
registers rule hits differently for cumulative and noncumulative limits. A rule hit is usually
registered only once for noncumulative limits. This is because IPFilter creates a limit entry when
the connection matches a noncumulative keep limit rule and subsequent connections are controlled
by that limit entry.
For cumulative limits, each new connection registers a rule hit and increments the rule hit count
because cumulative limit connections require a rule walk for each new connection.
Using IPFilter Utilities with DCA 53