Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
51525354555657585960
5.9 Loading and Modifying DCA Rules
The following sections describe how to load and modify DCA rules when HP-UX IPFilter is
running.
NOTE: HP recommends configuring a redundant rule (such as pass in all) in all DCA rule
files. IPFilter does not process packets without a rule.
To load DCA rules, use the ipf utility to read the new rules from a file:
ipf -f rules_file
To load IPv6 DCA rules, specify the -6 option:
ipf -6-f rules_file
NOTE: When you load a ruleset, the new rules normally affect all matching packets immediately,
including packets for established connections. However, IPFilter creates state table entries for
packets matching DCA rules, and if the DCA rule is noncumulative, IPFilter continues to apply
the action in the state table for subsequent packets that match the state table entry until the state
table entry times out or is deleted.
To force a new rule to take effect immediately, follow the procedures described in “Updating
keep limit Rules” (page 57). Alternately, use the following procedure to modify an inactive rules
file and switch it with the active rules file:
1. Enter the following command to add or modify rules in an inactive rules file:
ipf [-6] -If rules file
2. Run the following command to switch the active rules file with the inactive rules file you
modified:
ipf [-6] -s
When you modify an inactive rules file, then switch it with an active rules file, DCA processes
new connections according to the new rules file whether or not there are existing connection
limit entries in the limit table.
TIP: For performance-critical applications, HP recommends that you load rules into the inactive
list, then switch the inactive rules file with the active rules file.
5.9.1 Updating keep limit Rules
The following sections describe procedures for updating keep limit rules.
5.9.1.1 Changing the Current Individual, Subnet, or IP Address Range Rule
You can dynamically lower the number of connections a keep limit rule allows without letting
DCA pass unwanted packets while it activates the updated rules. You can also increase the
connection limit for an IP address, subnet, or IP address range.
For example, your IPFilter system has many connections coming from a specific IP address range.
You have a keep limit rule configured for that IP address range. You want to lower the
connection limit in the rule so that DCA starts using the new limit immediately, before more
packets from the suspect IP address range can pass through.
To change the number of connections allowed by a keep limit rule:
5.9 Loading and Modifying DCA Rules 57