From owner-freebsd-doc Mon Apr 1 20:40:13 2002 Delivered-To: freebsd-doc@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E3F7C37B416 for ; Mon, 1 Apr 2002 20:40:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g324e2058693; Mon, 1 Apr 2002 20:40:02 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E4E9637B400 for ; Mon, 1 Apr 2002 20:31:33 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g324VXN57456; Mon, 1 Apr 2002 20:31:33 -0800 (PST) (envelope-from nobody) Message-Id: <200204020431.g324VXN57456@freefall.freebsd.org> Date: Mon, 1 Apr 2002 20:31:33 -0800 (PST) From: Joe Barbish To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: docs/36642: 4.5 man page on ipfw new option limit is way to vague. Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 36642 >Category: docs >Synopsis: 4.5 man page on ipfw new option limit is way to vague. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Mon Apr 01 20:40:02 PST 2002 >Closed-Date: >Last-Modified: >Originator: Joe Barbish >Release: 4.5 >Organization: >Environment: >Description: In FBSD version 4.5 there is a new ipfw rule option called limit. Below is the man page on this option. ******************************************************************* limit {src-addr | src-port | dst-addr | dst-port} N The firewall will only allow N connections with the same set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. To limit the number of connections a user can open you can use the following type of rules: ipfw add allow tcp from my-net/24 to any setup limit src-addr 10 ipfw add allow tcp from any to me setup limit src-addr 4 The former (assuming it runs on a gateway) will allow each host on a /24 network to open at most 10 TCP connections. The latter can be placed on a server to make sure that a single client does not use more than 4 simultaneous connections. ******************************************************************* I find this verbiage hard to comprehend what the author is trying to say. using this example ipfw add allow tcp from any to me setup limit src-addr 4 Is it saying that for each unique ip address in the src ip address field it will allow up to 4 simultaneous connections. So I would see src_ip_addr 122.33.45.11 accept src_ip_addr 122.33.45.12 accept src_ip_addr 122.33.45.12 accept src_ip_addr 122.33.45.11 accept src_ip_addr 122.33.45.11 accept src_ip_addr 122.33.45.12 accept src_ip_addr 122.33.45.12 accept src_ip_addr 122.33.45.11 accept src_ip_addr 122.33.45.11 rejected or would I see src_ip_addr 122.33.45.11 accept src_ip_addr 122.33.45.12 accept src_ip_addr 122.33.45.12 accept src_ip_addr 122.33.45.11 accept src_ip_addr 122.33.45.11 rejected src_ip_addr 122.33.45.12 rejected src_ip_addr 122.33.45.12 rejected src_ip_addr 122.33.45.11 rejected src_ip_addr 122.33.45.11 rejected How does Limit know when a packet has completed so as the remove it from the count? The real question is what is the limit option really doing and how does he do it? >How-To-Repeat: >Fix: Send me a detailed explanation that I can use to suggest some verbiage to add to clarify how the limit option functions. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message