From owner-freebsd-questions@FreeBSD.ORG Wed Jan 14 06:47:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99F5016A4CF for ; Wed, 14 Jan 2004 06:47:26 -0800 (PST) Received: from gw.pelleg.org (gw.pelleg.org [205.201.13.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EC3C43D48 for ; Wed, 14 Jan 2004 06:47:25 -0800 (PST) (envelope-from daniel+bsd@pelleg.org) Received: from lank.here (lank.wburn [192.168.3.41]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "gw.pelleg.org", Issuer "Dan Pelleg" (verified OK)) by gw.pelleg.org (Postfix) with ESMTP id BE6575A53; Wed, 14 Jan 2004 09:47:22 -0500 (EST) Received: by lank.here (Postfix, from userid 7675) id 5FA828A2; Wed, 14 Jan 2004 09:47:18 -0500 (EST) To: fbsd_user@a1poweruser.com References: From: Dan Pelleg Date: Wed, 14 Jan 2004 09:47:17 -0500 In-Reply-To: (fbsd user's message of "Tue, 13 Jan 2004 21:39:43 -0500") Message-ID: User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.1 (Cuyahoga Valley, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: IPFW 'keep state' & 'limit' X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 14:47:26 -0000 "fbsd_user" writes: > Reading the man page on IPFW rule syntax, I get the impression that > the 'limit' option uses the stateful dynamic rules table. But it's > unclear whether 'keep state' and limit can be used on the same rule, > or if the limit option performs the 'keep state' function in > addition to the limit function. > > So as an example > > $cmd 00390 allow tcp from any to any 22 in via dc0 setup keep-state > limit src-addr 3 > > will this work? > limit implies keep-state, and you should really specify one or the other. If you specify both, ipfw won't complain, but ipfw2 will. So it's best to not do that. -- Dan Pelleg