Date: Sun, 15 Apr 2007 14:49:22 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Ivan Voras <ivoras@fer.hr> Cc: freebsd-net@freebsd.org Subject: Re: ipfw, keep-state and limit Message-ID: <20070415144922.A39338@xorpc.icir.org> In-Reply-To: <evu0kp$9u9$1@sea.gmane.org>; from ivoras@fer.hr on Sun, Apr 15, 2007 at 10:06:37PM %2B0200 References: <evu0kp$9u9$1@sea.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 15, 2007 at 10:06:37PM +0200, Ivan Voras wrote: > I think I need to start filtering based on simultaneous connections from > source IP addresses because of some abuse that's apparently going on, > so, as I'm already using ipfw, I tried this: > > # ipfw add 6079 allow tcp from any to me 80 setup keep-state limit > src-addr 10 > > To which ipfw replied: > > ipfw: only one of keep-state andlimit is allowed > > (including the "andlimit" typo). > > What I'm trying to do makes sense to me (and seems straightforward to > implement, at least semantically): allow connections to port 80 with > dynamic keep-state rules for individual clients, but allow only 10 > connections from the same address. Is this a limitation in ipfw? Any > suggestions? if i remember well (the implementation dates back to 2001 or so) you just need to use "limit", as it implicitly installs a dynamic state entry (same as keep-state). cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070415144922.A39338>