HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Dynamic Connection Allocation
DCA Keywords
Chapter 3 49
For example:
pass in quick proto tcp from 192.168.7.0/24 to any port = 25
keep limit 15 cumulative
The example rule limits the cumulative concurrent connections to 15
from all hosts in subnet 192.168.7.0/24 to port 25 of any host.
Default Individual Connection Limits
Use the following rule to create default individual connection limits:
pass [return-rst] in proto tcp from any to any port =
<port_num>
keep limit
<limit_num>
For example:
pass in proto tcp from any to any port = 25 keep limit 5
This rule specifies a connection limit of 5 for all hosts when trying to
connect to port 25.
IMPORTANT The default individual connection limit must be the last rule in the
configuration file.
log limit: Logging Exceeded Connections
Use the log limit rule to log each connection that exceeds a configured
limit in a keep limit rule. For example:
pass in log limit quick proto tcp from IP1 to Server keep limit
10
IP1 is allowed to open only 10 connections at a time. Any subsequent
connection will be blocked. Since log limit is set, each additional
connection attempt is logged.
log limit generates two types of log records:
• Alert Log records—created when a source IP address is trying to
exceed its configured connection limit. Every time the connection
limit is exceeded, an alert log record is created.