HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

100

15:57:33.803147 lan0 @0:2 b 100.100.100.103,443 ->

20.20.20.10,4923 PR tcp len 20 1488 -A:

The fields in this output are as follows:

• Field 1—Time stamp

• Field 2—The interface on which the event occurred

• Field 3—Rule group number: rule number of the rule used for the packet, in the format

@group_number:rule_number

• Field 4—Action; blocked (b) or passed (p) packet

• Field 5—Packet source, in the format ip_address,port

• Field 6—Packet destination, in the format ip_address,port

• Field 7 and 8—Protocol

• Field 9—Packet size

• Field 10—Flags set on packet

Use the ipfstat -in command to determine the text of the rule that created the log entry. In

the previous example, you would use this command to look at rule 2 in rule group 0 (@0:2).

IPFilter sometimes logs a packet matching a keep state rule in the normal (non-state) IPFilter

log file. This occurs when a packet matching a keep state rule has the same sequence number

as a packet matching a normal (non-state) rule that has logging enabled. IPFilter. This may also

occur when a packet matching a keep state rule is the last packet in a stateful connection and

arrives after IPFilter has deleted the state table entry.

Example:

#ipfstat -n

12:46:12.470951 lan0 @0:1 S 20.20.20.254 -> 255.255.255.255 PR icmp len 20 9216 icmp 9/0

This is a ICMP router discovery broadcast packet. It is indicated by the ICMP type 9/0.

9.3.2.4 ipmon and DCA Logging

DCA logging uses different device files than normal IPFilter logging. The DCA module writes

alert log records to /dev/ipl and writes summary log records to /dev/iplimit. To view the

summary records, use ipmon with the -A option. Using ipmon -A prints a summary log for a

limit entry before the entry being removed from the limit table.

Example:

ipmon -A /dev/iplimit > $LOGDIR/limit_summary.log &

You can use ipmon -r to print the summary records to the log file for all existing limit entries

that are active. For example, you have the following rule configured:

pass in log limit quick proto tcp from host1 to Server keep limit 10

If host1 creates 70 connections, then 10 connections are let through and remaining 60 are blocked,

which is the block count. When ipmon -r is called, a summary record is logged to the summary

log records and the block count is set to 0. This is useful in a case where host1 created many

connections and has a large block count, but subsequently has connections that are within the

connection limit.

ipmon -r works only on active limit entries. If there are no limit entries, ipmon -r does not

log any Summary Log records. Summary logs are printed only for those limit entries which have

a non-zero connection exceeded counter. For cumulative limits, this option is the only way to

obtain summary logs.

9.3.3 Analyzing IPFilter Log Events

The ipmon feature simplifies IPFilter log analysis and allows monitoring for specific log events.

When such an event is found, the rule configuration runs a shell command or logs the event to

9.3 Logging IPFilter Packets 91