Manualshelf

HP-UX IPFilter Version 17 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
12345678910
You can override the TCP default value when the connection is closed using the fr_tcptimewait
tunable, or by using the age option on a per-rule basis. The value specified in the rule gets priority
over the tunable value set at system level.
The age option is supported for IPFilter rules on ICMP, UDP and TCP. For NAT rules, only TCP
is supported. NAT provides the frnat_tcptimewait tunable to set the system level timeout.
2.4 Rule Tags
2.4.1 Log Tags
This tag is used in IPF rules to help with parsing log files. Use log tags to find a particular logged
packet belonging to an IPF rule.
For example, to block all TCP packets from 10.1.1.42 and ipmon log packets in syslog and use
log-tag (log-tag rule1) to help with parsing logfile:
block in log proto tcp from 10.1.1.42/32 to any set-tag(log=rule1)
2.4.2 NAT Tags
This tag creates implied join between IPF rules and NAT rules. NAT tags are used in both IPF
rules and NAT rules. There are two kinds of NAT rules; map and rdr. The map rules are processed
in OUT path and runs source address translation. The rdr rules are processed when packets enter
the system and runs destination address translation.
Use nat-tag in the rdr rule corresponding to the IPF rule in IN path. Use nat-tag in the map
rule corresponding to the IPF rule in OUT path. In IN path, NAT processing takes place first,
followed by filter checking. In OUT path, filter checking takes place first, followed by NAT
processing.
For more information, see the ipnat(4) and ipf(4) manpages, and the HP-UX IPFilter Version 17
Administrator Guide.
2.5 Sticky NAT Sessions
NAT sessions can be redirected to the same destination IP to achieve source IP-based persistence.
This feature only works with rdr NAT rule. For more information, see the ipnat(4) manpage.
2.6 Checking Connection Health with l4check
A load balancer continually checks the health of the servers to ensure client connections are not
forwarded to servers that are down or failed. Sometimes the server is up and responsive, but the
application it is hosting is dead or unresponsive.
Health checks can be in-band or out-of-band checks. In-band checks use the traffic flow between
clients and servers to check server health. For example, the health of a TCP-based application is
checked by monitoring the TCP 3-way handshake. An incomplete handshake indicates that the
server or application is not working. This check can be followed by additional checks to confirm
the situation. Out-of-band health checks are explicit health checks made by the load balancer.
The l4check utility monitors for dead IP/port pairs and dynamically removes them from the
list of load balanced IP addresses. This utility comes with the /etc/opt/ipf/l4check.conf
file that is used to configure the remote IP addresses of servers where connection requests are
redirected.
2.7 Analyzing IPFilter Log Events
The ipmon feature simplifies IPFilter log analysis and allows monitoring for specific log events.
When such an event is found, the rule configuration runs a shell command or logs the event to
10 New Features in this Release