From owner-freebsd-ipfw@FreeBSD.ORG  Sat Dec  3 13:20:05 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9387C106564A
	for <freebsd-ipfw@freebsd.org>; Sat,  3 Dec 2011 13:20:05 +0000 (UTC)
	(envelope-from blogtiengviet@yahoo.com)
Received: from nm14-vm0.bullet.mail.bf1.yahoo.com
	(nm14-vm0.bullet.mail.bf1.yahoo.com [98.139.213.164])
	by mx1.freebsd.org (Postfix) with SMTP id 2FFB08FC19
	for <freebsd-ipfw@freebsd.org>; Sat,  3 Dec 2011 13:20:04 +0000 (UTC)
Received: from [98.139.212.148] by nm14.bullet.mail.bf1.yahoo.com with NNFMP;
	03 Dec 2011 13:07:04 -0000
Received: from [98.139.212.196] by tm5.bullet.mail.bf1.yahoo.com with NNFMP;
	03 Dec 2011 13:07:04 -0000
Received: from [127.0.0.1] by omp1005.mail.bf1.yahoo.com with NNFMP;
	03 Dec 2011 13:07:04 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 270383.96682.bm@omp1005.mail.bf1.yahoo.com
Received: (qmail 97909 invoked by uid 60001); 3 Dec 2011 13:07:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
	t=1322917624; bh=cjoXTbR0uME395t9KJr4/JUu5Ac9YE7q8bqZEig9bRg=;
	h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=ZqKaTQ2dhVxHir7oF1RuDOD/ly0Td2Ln+6d3Kv74Mf4P2f5PLJg5R+l7x+EuVvCF0XnKkLbU3IGiOtUjSj2Vv7XKb8sQoIsvhn0uWSpCZLcUtmjOD8H8tJA2cHEtY3HGtMauaZxC1fEgzGzYncEdNvX5rAyYRUGKZricUXdU/x4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=wbBQ5k5otx+go+FNiiPRlFfSSYnaA0RuWhursj1acpnlG0xYmotnEOC4UUruPPnlaxNNibToxUhVjWy+NGUyK0RArlV7TPEYHtpW1aHMPFe+1H/xQjrDFGbxeLBPcqzeOsU+MubB0pPWVx1d+3Up7EnS4r7HFsmqKevfRWfy3+s=;
X-YMail-OSG: NSFb4tAVM1k6sCCWs2neLgejVfyb_iugm8ItS6IgaMyn8UV
	Zr.tLSVBAq1HJnEdfZUw1Z.AsaRh_w1kAc1qd5bHOgrD5xDueBUZeJ2S3SRh
	G6DkkMJYGUkvXpzxrrHnmXKuSzGsndCta7wld.HQzCwMpo2Ib2AWt9BNLetf
	TNKW8cOgyPhpxcHv53cE6eek5os8dhH8IPhfLulHOlZRmPBFFpEAfC9dVpVP
	aW_.K2HLQhTEWREa4SuRhyQugfyDw3DiqEvymMdMRfGkgVA6ML_VQ3yV7rYi
	2YacBhd9MlJTMFYnCFJiiaaH86Aj0Ve2nZPQdM2S77a4cnzDYxOgNOhHGh7l
	NNhtdxaSoSEc0Jb.9Nvy9q4BwoT1hi4DRmXeXufos1VoLi24vS1ZqOStiqWH
	yQlgKVUipKMNpToiF4MBpM2BMOooZ2OQEMufaJdOZezWzDZ_vz5M0WFChp2V
	CrtzDz.u.cntSMD3mScEn2Af7.L3aNUUG4ZohC4EMuYfkfY0mA1EB8pkWr8C
	vUr4fH0pO9dgZpmMjp00YqpZEpBVFtbRC6Rfvagq__seD
Received: from [222.226.245.101] by web161704.mail.bf1.yahoo.com via HTTP;
	Sat, 03 Dec 2011 05:07:04 PST
X-Mailer: YahooMailClassic/15.0.4 YahooMailWebService/0.8.115.331698
Message-ID: <1322917624.95519.YahooMailClassic@web161704.mail.bf1.yahoo.com>
Date: Sat, 3 Dec 2011 05:07:04 -0800 (PST)
From: Blog Tieng Viet <blogtiengviet@yahoo.com>
To: freebsd-ipfw@freebsd.org
Cc: freebsd-ipfw@freebsd.org
In-Reply-To: <1475430265.24464.1320253002379.JavaMail.root@mail-01.cse.ucsc.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Limit src address may not work well:
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Dec 2011 13:20:05 -0000

Dear all, =0A=0AI am using IPFW in FreeBSD 7.3-RELEASE.=0AI have some probl=
ems as following:=0A=0ALimit src address may not work well:=0A=0AFor exampl=
e, I want to limit google robot not over 1 connection establishment:=0A=0A$=
{fwcmd} add 5625 pass tcp from 66.249.0.0/16 to me 80 limit src-addr 1=0A=
=0ABut I saw there are about 6 ESTABLISMENT of this address in the results =
of "netstat -n"=0A=0AIs it my wrong, please give me an advice.=0A=0ABest re=
gards.=0A=0A=0A--- On Thu, 11/3/11, Tim Gustafson <tjg@soe.ucsc.edu> wrote:=
=0A=0A> From: Tim Gustafson <tjg@soe.ucsc.edu>=0A> Subject: Re: IPFW Proble=
ms=0A> To: "Michael Sierchio" <kudzu@tenebras.com>=0A> Cc: freebsd-ipfw@fre=
ebsd.org=0A> Date: Thursday, November 3, 2011, 1:56 AM=0A> > You may want t=
o tweak the sysctl=0A> items that control the lifespan=0A> > of dynamic rul=
es.=0A> > =0A> > sysctl net.inet.ip.fw=0A> > =0A> > in particular, the defa=
ult value of=0A> net.inet.ip.fw.dyn_ack_lifetime=0A> > is probably way too =
long for your purposes.=0A> =0A> Here's what I have right now:=0A> =0A> roo=
t@bsd-02: sysctl net.inet.ip.fw=0A> net.inet.ip.fw.static_count: 48=0A> net=
.inet.ip.fw.default_to_accept: 0=0A> net.inet.ip.fw.tables_max: 128=0A> net=
.inet.ip.fw.default_rule: 65535=0A> net.inet.ip.fw.verbose_limit: 0=0A> net=
.inet.ip.fw.verbose: 0=0A> net.inet.ip.fw.autoinc_step: 100=0A> net.inet.ip=
.fw.one_pass: 1=0A> net.inet.ip.fw.enable: 1=0A> net.inet.ip.fw.dyn_keepali=
ve: 1=0A> net.inet.ip.fw.dyn_short_lifetime: 5=0A> net.inet.ip.fw.dyn_udp_l=
ifetime: 10=0A> net.inet.ip.fw.dyn_rst_lifetime: 1=0A> net.inet.ip.fw.dyn_f=
in_lifetime: 1=0A> net.inet.ip.fw.dyn_syn_lifetime: 20=0A> net.inet.ip.fw.d=
yn_ack_lifetime: 300=0A> net.inet.ip.fw.dyn_max: 32768=0A> net.inet.ip.fw.d=
yn_count: 805=0A> net.inet.ip.fw.curr_dyn_buckets: 256=0A> net.inet.ip.fw.d=
yn_buckets: 256=0A> =0A> I'm assuming that's in seconds.=A0 Is 300 seconds =
too=0A> long?=A0 It seems like the dynamic rules are hanging=0A> around for=
 hours or days, and I think the timeout is getting=0A> reset by the fact th=
at the system is constantly sending out=0A> ACK packets to clients that are=
n't acknowledging them.=0A> =0A> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=0A> Tim Gustafson=A0 =A0 =A0 =A0 =A0 =
=A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=0A> =A0 =A0 tjg@soe.ucsc.edu=0A> Baskin School of Engineering=A0 =A0 =A0 =
=A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0=0A> =A0=A0=
=A0831-459-5354=0A> UC Santa Cruz=A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0=A0=A0Baskin=0A> Engineering=
 317B=0A> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=0A> _______________________________________________=0A> freeb=
sd-ipfw@freebsd.org=0A> mailing list=0A> http://lists.freebsd.org/mailman/l=
istinfo/freebsd-ipfw=0A> To unsubscribe, send any mail to "freebsd-ipfw-uns=
ubscribe@freebsd.org"=0A>