From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 3 20:14:22 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68BD11065673 for ; Sat, 3 Dec 2011 20:14:22 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id 0AD058FC08 for ; Sat, 3 Dec 2011 20:14:22 +0000 (UTC) Received: from secured.by.ipfw.ru ([81.200.11.182] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1RWvyW-000EPw-NI; Sun, 04 Dec 2011 00:14:20 +0400 Message-ID: <4EDA82E1.4000106@FreeBSD.org> Date: Sun, 04 Dec 2011 00:13:21 +0400 From: "Alexander V. Chernikov" User-Agent: Thunderbird 2.0.0.24 (X11/20100515) MIME-Version: 1.0 To: Blog Tieng Viet References: <1322917624.95519.YahooMailClassic@web161704.mail.bf1.yahoo.com> In-Reply-To: <1322917624.95519.YahooMailClassic@web161704.mail.bf1.yahoo.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Limit src address may not work well: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2011 20:14:22 -0000 Blog Tieng Viet wrote: > Dear all, > > I am using IPFW in FreeBSD 7.3-RELEASE. > I have some problems as following: > > Limit src address may not work well: > > For example, I want to limit google robot not over 1 connection establishment: > > ${fwcmd} add 5625 pass tcp from 66.249.0.0/16 to me 80 limit src-addr 1 > > But I saw there are about 6 ESTABLISMENT of this address in the results of "netstat -n" > > Is it my wrong, please give me an advice. Do you have some rule before 5625 consuming all TCP established traffic, for example? You need to get ALL traffic from '66.249.0.0/16 to me 80' to match this exact rule. > > Best regards. > > > --- On Thu, 11/3/11, Tim Gustafson wrote: > >> From: Tim Gustafson >> Subject: Re: IPFW Problems >> To: "Michael Sierchio" >> Cc: freebsd-ipfw@freebsd.org >> Date: Thursday, November 3, 2011, 1:56 AM >>> You may want to tweak the sysctl >> items that control the lifespan >>> of dynamic rules. >>> >>> sysctl net.inet.ip.fw >>> >>> in particular, the default value of >> net.inet.ip.fw.dyn_ack_lifetime >>> is probably way too long for your purposes. >> Here's what I have right now: >> >> root@bsd-02: sysctl net.inet.ip.fw >> net.inet.ip.fw.static_count: 48 >> net.inet.ip.fw.default_to_accept: 0 >> net.inet.ip.fw.tables_max: 128 >> net.inet.ip.fw.default_rule: 65535 >> net.inet.ip.fw.verbose_limit: 0 >> net.inet.ip.fw.verbose: 0 >> net.inet.ip.fw.autoinc_step: 100 >> net.inet.ip.fw.one_pass: 1 >> net.inet.ip.fw.enable: 1 >> net.inet.ip.fw.dyn_keepalive: 1 >> net.inet.ip.fw.dyn_short_lifetime: 5 >> net.inet.ip.fw.dyn_udp_lifetime: 10 >> net.inet.ip.fw.dyn_rst_lifetime: 1 >> net.inet.ip.fw.dyn_fin_lifetime: 1 >> net.inet.ip.fw.dyn_syn_lifetime: 20 >> net.inet.ip.fw.dyn_ack_lifetime: 300 >> net.inet.ip.fw.dyn_max: 32768 >> net.inet.ip.fw.dyn_count: 805 >> net.inet.ip.fw.curr_dyn_buckets: 256 >> net.inet.ip.fw.dyn_buckets: 256 >> >> I'm assuming that's in seconds. Is 300 seconds too >> long? It seems like the dynamic rules are hanging >> around for hours or days, and I think the timeout is getting >> reset by the fact that the system is constantly sending out >> ACK packets to clients that aren't acknowledging them. >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> Tim Gustafson >> >> >> tjg@soe.ucsc.edu >> Baskin School of Engineering >> >> >> 831-459-5354 >> UC Santa Cruz >> >> Baskin >> Engineering 317B >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> _______________________________________________ >> freebsd-ipfw@freebsd.org >> mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >