Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 Jun 2005 21:20:41 +0200
From:      Daniel Gerzo <danger@rulez.sk>
To:        Riccardo Giuntoli <taglio@gmail.com>
Cc:        Giorgos Keramidas <keramida@ceid.upatras.gr>, freebsd-pf@freebsd.org
Subject:   Re[2]: limit number of tcp connection for a GID
Message-ID:  <172915679.20050605212041@rulez.sk>
In-Reply-To: <31fbaca90506051212134e383e@mail.gmail.com>
References:  <31fbaca905060510563c64eb49@mail.gmail.com> <20050605181315.GE16327@gothmog.gr> <31fbaca905060511367d24e3ec@mail.gmail.com> <20050605184032.GA66090@gothmog.gr> <31fbaca90506051212134e383e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Riccardo,

Sunday, June 5, 2005, 9:12:44 PM, you wrote:

> On 6/5/05, Giorgos Keramidas <keramida@ceid.upatras.gr> wrote:
> ...
>> No trace of uid or gid matching though.  I thought it was specifically
>> uid/gid matching that you were after.
> Here you are the complete fantastic rule:
> pass out quick proto tcp from  $irc_subnet to any port {4004, 5555,
> 5667, 6660, 6661, 6662, 6663, 6664,\
> 6665, 6666, 6667, 6668, 6669, 7000} user >= 1009  modulate state (max 3)
> I've got a /23 subnet and i want that user UID > 1009 use only two
> connections to ircd.
> The rule is correct all go in the right way :)
> Regards

(31 Oct 2004) When the user/group rule clauses in pf(4) and ipfw(4)
are used, the loader tunable debug.mpsafenet must be set to 0
(this is 1 by default). For example, the following rules are affected:

for ipfw(4):

count ip from any to 192.168.2.1 uid root

for pf(4):

block log quick proto { tcp, udp } all user root

To set debug.mpsafenet to 0 on every boot, add the following line
into /boot/loader.conf:

debug.mpsafenet=0

More specifically, the group and user filter parameters in pf(4),
and the gid, jail, and uid rule options in ipfw(4) are affected.
If debug.mpsafenet is set to 1, the system can hang when the rule
is evaluated due to a lock order reversal with the socket layer.
More details can be found in the ipfw(8) and pf.conf(5) manual
pages.

-- 
Best regards

 DanGer, ICQ: 261701668  | e-mail protecting at: http://www.2pu.net/
 http://danger.rulez.sk  | proxy list at:        http://www.proxy-web.com/
                         | FreeBSD - The Power to Serve!

[ "640K should be enough memory for anyone." - Bill Gates ]

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?172915679.20050605212041>