Date: Tue, 20 Feb 2007 15:19:57 -0800 From: Julian Elischer <julian@elischer.org> To: admin <admin@azuni.net> Cc: freebsd-net@freebsd.org, Ian Smith <smithi@nimnet.asn.au>, freebsd-questions@freebsd.org Subject: Re: ipfw limit src-addr woes Message-ID: <45DB821D.4050508@elischer.org> In-Reply-To: <45D9D25E.1050007@azuni.net> References: <Pine.BSF.3.96.1070219235025.26249C-100000@gaia.nimnet.asn.au> <45D9D25E.1050007@azuni.net>
next in thread | previous in thread | raw e-mail | index | archive | help
admin wrote: > > Wrong: the implied "check-state" done by the "limit" lets the connection > through (i.e. performs the action) iff there's state recorded for it > (src-addr+src-port+dst-addr+dst-port). If however it's a SYN packet > incoming and the number of current states is trying to cross the limit, > the SYN packet is implicitly dropped and the search terminates. > > This is not to say that I completely understand the things going on when > the connections start building up (different timeouts?) but the above > conclusion is based on what simulation has shown. The whole ruleset fits > on one screen, there's an "allow ip from any to any" in the end, so I'm > pretty sure I'm not crazy :-) One thing to keep in mind is that a 'check-state' rule works by effectively jumping to the rule that did the 'keep-state' and re-executing it.. (and incrementing its stats).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45DB821D.4050508>