HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

141

142

143

144

145

146

147

148

149

150

C HP-UX IPFilter Kernel Tunable Parameters

HP-UX IPFilter supports kernel tunable parameters that affect IPFilter behavior. This chapter

describes the parameters and how to configure them. This chapter contains the following sections:

• “Overview” (page 143)

• “fr_tcpidletimeout” (page 144)

• “fr_statemax” (page 144)

• “ipf_icmp6_passthru” (page 144)

• “ipl_buffer_sz” (page 144)

• “ipl_suppress” (page 145)

• “ipl_logall” (page 145)

• “Configuring and Viewing Kernel Tunable Parameters” (page 145)

• “Enabling and Disabling NAT Functionality” (page 147)

C.1 Overview

HP-UX IPFilter supports the following kernel tunable parameters:

Default ValueDescriptionName

86,400 secondsThe timeout period for TCP entries in the state table.

fr_tcpidletimeout

800,000 entriesSpecifies the maximum number of state table entries that

can be created.

fr_statemax

0If set to 0, IPFilter allows ICMPv6 Router Discovery and

Neighbor Discovery messages to bypass normal IPFilter

rule processing and always pass through the system.

ipf_icmp6_passthru

8192 bytes

Size of the IPFilter logging buffer for /dev/ipl.ipl_buffer_sz

1 (enabled)If enabled (set to 1), IPFilter does not write identical log

records separately, but counts them as Nx, where N is the

number of times the log record occurs.

ipl_suppress

0 (disabled)If enabled (set to 1), IPFilter includes the entire packet when

the log body keywords are specified in a rule. Otherwise,

it includes only the first 128 bytes.

ipl_logall

1 (enabled)Used to enable or disable NAT functionality. Value can be

0 or 1. This is supported on 11.23 and 11.31. It is modified

using the kctune command.

ipnat_enable

120 Sec (enabled)Used to set TCP state entry age at system level after

connection is closed. Value can be between 2-120 Sec. This

is supported only on 11.31. It is modified using the kctune

command.

fr_tcptimewait

120 SecUsed to set TCP NAT entry age at system level after

connection is closed. Value can be between 2-120 Sec. This

is supported only on 11.31. It is modified using the kctune

command.

frnat_tcptimewait

The following sections provide information about the remaining kernel tunable parameters and

how to use the kctune, kmtune, and ndd commands to configure these parameters.

C.1 Overview 143