HP-UX IPFilter Version A.03.05.14 Administrator's Guide
HP-UX IPFilter Utilities
The ipfstat Utility
Chapter 5 89
# ipfstat -on
@0:1 pass out on lan0 from any to any
@0:2 block out on ppp0 from any to any
@0:3 pass out quick on ppp0 proto tcp/udp from 20.20.20.0/24 to
any keep state keep frags
The following example uses the -s option to display the state table.
# ipfstat -s
281458 TCP
319349 UDP
0 ICMP
19780145 hits
5723648 misses
0 maximum
0 no memory
0 bkts in use
1 active
319349 expired
281419 closed
A TCP connection has one state entry. One fully established connection is
represented by the 4/4 state. Other states are incomplete and will be
documented later. The state entry has a time life of 24 hours, which is
the default for an established TCP connection. The TTL counter is
decremented every second that the state entry is not used and will result
in the connection being purged if it is left idle.
The TTL counter is reset to 86400 whenever the state is used, ensuring
the entry will not time out while it is being actively used. 196 packets
consisting of about 17KB worth of data have been passed over this
connection. The ports for the endpoints are 987 and 22; this state entry
represents a connection from 100.100.100.1 port 987 to 20.20.20.1 port
22. The numbers in the second line are the TCP sequence numbers for
this connection. These numbers help ensure that an attacker cannot
insert a forged packet into your session. The TCP window is also shown.
The third line is a synopsis of the implicit rule generated by the keep
state code showing that this is an inbound connection.
The ipfstat -sl option is often used in place of ipfstat -s to show
held state information in the kernel, if present. The ipfstat -sl gives
detailed information for each state entry that is active.