HP-UX IPFilter Version A.03.05.14 Administrator's Guide
HP-UX IPFilter Utilities
The ipfstat Utility
Chapter 588
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
The TCP Connections statistics are derived from the number of states
added and is valid only in the context of stateful filtering. These
statistics will be accurate only when keep limit or keep state rules
are used for all TCP connections.
For example, you have the following ruleset:
pass in log limit freq 500 quick proto tcp from any to any port
= 80 keep limit 100
pass in log quick proto tcp from any to any port = 25 flags S
keep state
pass in log quick proto tcp from any to any port = 23
pass out log quick proto tcp from any port = 23 to any
These rules only count connections that match the first two rules. Both
the third and fourth rule allow telnet connections but telnet connections
are not counted, since the system is not keeping state on these
connections.
Example:
# ipfstat -ho
2451423 pass out on lan0 from any to any
354727 block out on ppp0 from any to any
430918 pass out quick on ppp0 proto tcp/udp from
20.20.20.0/24 From to any keep state keep frags
This status report shows that the ruleset may not be working as
intended. Many outbound packets are being blocked despite a pass out
rule configured to pass most outbound packets.
ipfstat cannot indicate whether a ruleset is configured correctly. It can
only display what is happening at the present time with a given ruleset.
Set the -n option to display the rule number next to each rule. The rule
number is displayed as @
group:rule
. This can help you determine which
rules are incorrectly configured. For example: