HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Dynamic Connection Allocation
DCA Keywords
Chapter 3 47
DCA Keywords
The following section describes keywords specific to DCA. For additional
information about DCA rule syntax and rule conditions, see “DCA Rule
Syntax” on page 52 and “DCA Rule Conditions” on page 53.
keep limit: Limiting Connections
Use the keep limit keyword to limit the number of connections made to
an IPFilter system at a given time. Connections can be limited by IP
address, subnet, cumulative limit of connections, and a default
individual limit.
When setting the limit of connections, be aware that the number of
connections stated is for each service on the destination IP address. For
example, if the keep limit is set to 5, then five connections are allowed
for telnet, five for http, and so on.
Limiting Connections by IP Address
Use the following rule to limit connections by IP address:
pass [return-rst] in quick proto tcp from
<ip addr>
to any port
=
<port_num>
keep limit
<limit_num>
For example:
pass return-rst in quick proto tcp from 192.34.23.1 to any port
= 25 keep limit 5
The example rule limits the maximum concurrent connections to 5 from
host 192.34.23.1 to SMTP port 25 of any host. Because the [return-rst]
option is specified, a TCP reset will be sent to the initiating TCP
connection at IP address 192.34.23.1 when the connection request is
blocked.
Limiting Connections by Subnet
Use the following rule to limit connections by subnet:
pass [return_rst] in quick proto tcp from
<ip_subnet>
to any
port =
<port_num>
keep limit
<limit_num>