From owner-freebsd-pf@FreeBSD.ORG Sun Jun 5 19:23:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6201116A41C for ; Sun, 5 Jun 2005 19:23:53 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0032643D4C for ; Sun, 5 Jun 2005 19:23:52 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 4AA9D1CC31; Sun, 5 Jun 2005 21:23:51 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id 280D61CC23; Sun, 5 Jun 2005 21:23:45 +0200 (CEST) Date: Sun, 5 Jun 2005 21:20:41 +0200 From: Daniel Gerzo X-Priority: 3 (Normal) Message-ID: <172915679.20050605212041@rulez.sk> To: Riccardo Giuntoli In-Reply-To: <31fbaca90506051212134e383e@mail.gmail.com> References: <31fbaca905060510563c64eb49@mail.gmail.com> <20050605181315.GE16327@gothmog.gr> <31fbaca905060511367d24e3ec@mail.gmail.com> <20050605184032.GA66090@gothmog.gr> <31fbaca90506051212134e383e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, hits=-2.81 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-3.3, AWL=1.992, BAYES_00=-2.599, PRIORITY_NO_NAME=1.097] X-Spam-Level: Cc: Giorgos Keramidas , freebsd-pf@freebsd.org Subject: Re[2]: limit number of tcp connection for a GID X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jun 2005 19:23:53 -0000 Hi Riccardo, Sunday, June 5, 2005, 9:12:44 PM, you wrote: > On 6/5/05, Giorgos Keramidas wrote: > ... >> No trace of uid or gid matching though. I thought it was specifically >> uid/gid matching that you were after. > Here you are the complete fantastic rule: > pass out quick proto tcp from $irc_subnet to any port {4004, 5555, > 5667, 6660, 6661, 6662, 6663, 6664,\ > 6665, 6666, 6667, 6668, 6669, 7000} user >= 1009 modulate state (max 3) > I've got a /23 subnet and i want that user UID > 1009 use only two > connections to ircd. > The rule is correct all go in the right way :) > Regards (31 Oct 2004) When the user/group rule clauses in pf(4) and ipfw(4) are used, the loader tunable debug.mpsafenet must be set to 0 (this is 1 by default). For example, the following rules are affected: for ipfw(4): count ip from any to 192.168.2.1 uid root for pf(4): block log quick proto { tcp, udp } all user root To set debug.mpsafenet to 0 on every boot, add the following line into /boot/loader.conf: debug.mpsafenet=0 More specifically, the group and user filter parameters in pf(4), and the gid, jail, and uid rule options in ipfw(4) are affected. If debug.mpsafenet is set to 1, the system can hang when the rule is evaluated due to a lock order reversal with the socket layer. More details can be found in the ipfw(8) and pf.conf(5) manual pages. -- Best regards DanGer, ICQ: 261701668 | e-mail protecting at: http://www.2pu.net/ http://danger.rulez.sk | proxy list at: http://www.proxy-web.com/ | FreeBSD - The Power to Serve! [ "640K should be enough memory for anyone." - Bill Gates ]