Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
81828384858687888990
-v
Sets verbose mode. Use for debugging.
NOTE: Statistics counters cannot increment when both active in and out
rulesets are empty. This is due to a performance optimization that bypasses
IPFilter when there are no active rulesets present.
9.1.3 Examples
# ipfstat
dropped packets: in 0 out 0
non-data packets: in 0 out 0
no-data packets: in 0 out 0
non-ip packets: in 0 out 0
bad packets: in 0 out 0
copied messages: in 0 out 0
input packets: blocked 15 passed 2647 nomatch 2537 counted 0
short 0
output packets: blocked 0 passed 245 nomatch 141 counted 0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
TCP connections: in 5 out 50
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 5 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 14 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
The TCP Connections statistics are derived from the number of states added and are accurate
only when keep limit or keep state rules are used for all TCP connections.
For example, you have the following ruleset:
pass in log limit freq 500 quick proto tcp from any to any port = 80 keep limit 100
pass in log quick proto tcp from any to any port = 25 flags S keep state
pass in log quick proto tcp from any to any port = 23
pass out log quick proto tcp from any port = 23 to any
These rules only count connections that match the first two rules. Both the third and fourth rule
allow telnet connections but telnet connections are not counted, since the system is not
keeping state on these connections.
Example:
# ipfstat -ho
2451423 pass out on lan0 from any to any
354727 block out on ppp0 from any to any
430918 pass out quick on ppp0 proto tcp/udp from
20.20.20.0/24 From to any keep state keep frags
This status report shows that the ruleset may not be working as intended. Many outbound packets
are being blocked despite a pass out rule configured to pass most outbound packets.
ipfstat cannot indicate whether a ruleset is configured correctly. It can only display what is
happening at the present time with a given ruleset.
9.1 Viewing IPFilter Statistics and Active Rules with ipfstat 81