From owner-freebsd-questions@FreeBSD.ORG  Sun Feb 18 06:19:45 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id D7ED516A400
	for <freebsd-questions@freebsd.org>;
	Sun, 18 Feb 2007 06:19:45 +0000 (UTC)
	(envelope-from almarrie@gmail.com)
Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.234])
	by mx1.freebsd.org (Postfix) with ESMTP id 9DB1013C442
	for <freebsd-questions@freebsd.org>;
	Sun, 18 Feb 2007 06:19:45 +0000 (UTC)
	(envelope-from almarrie@gmail.com)
Received: by nz-out-0506.google.com with SMTP id i11so1543625nzh
	for <freebsd-questions@freebsd.org>;
	Sat, 17 Feb 2007 22:19:45 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=h9esom88dvX2suvFhN5rQcqCGG1qr8MtUsnZIGdyXHzHuNALwfK5oObtUBXylIiyUdb60rd6xhumQCmXxbXKNAs1omPJm9+1ZF30dLe9OfsWppGdy0FhO/wU/zMd+QYjok8LNXndSjVM0ueomU/gMHspMxa5vLI0Dmdte99wSPw=
Received: by 10.114.126.1 with SMTP id y1mr2499475wac.1171779584455;
	Sat, 17 Feb 2007 22:19:44 -0800 (PST)
Received: by 10.115.91.7 with HTTP; Sat, 17 Feb 2007 22:19:44 -0800 (PST)
Message-ID: <499c70c0702172219i1295ed07oefa63d7d8132a654@mail.gmail.com>
Date: Sun, 18 Feb 2007 09:19:44 +0300
From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com>
To: admin <admin@azuni.net>
In-Reply-To: <45D75F87.6050908@azuni.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <45D75F87.6050908@azuni.net>
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfw limit src-addr woes
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Feb 2007 06:19:45 -0000

On 2/17/07, admin <admin@azuni.net> wrote:
> Hi, I'm trying to use ipfw's limit clause to limit the number of
> connections a single IP can have at the same time in a transparent
> web-proxy environment:
>
> 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
> 80 in via if0 setup limit src-addr 10
> 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
> ... the rest fwd...
>
> the problem is that the src-addr limit is not enforced for some nasty
> clients that open a huge number (3-5 times the prescribed value) of
> www-connections to some single address Out There, forcing you to bump up
> certain sysctl variables (such as kern.ipc.nmbclusters,
> kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
> going on? Is ipfw broken, or am I misusing it?
>
> OS: FreeBSD 6.2

I would go for pf instead of ipfw for that job ;)

-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/