From owner-freebsd-questions@FreeBSD.ORG Tue Feb 20 23:30:33 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BE62216B677 for ; Tue, 20 Feb 2007 23:30:33 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outK.internet-mail-service.net (outK.internet-mail-service.net [216.240.47.234]) by mx1.freebsd.org (Postfix) with ESMTP id 9CACE13C491 for ; Tue, 20 Feb 2007 23:30:33 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Tue, 20 Feb 2007 14:55:47 -0800 Received: from [10.251.22.38] (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id DF12E125B2B; Tue, 20 Feb 2007 15:19:58 -0800 (PST) Message-ID: <45DB821D.4050508@elischer.org> Date: Tue, 20 Feb 2007 15:19:57 -0800 From: Julian Elischer User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: admin References: <45D9D25E.1050007@azuni.net> In-Reply-To: <45D9D25E.1050007@azuni.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Ian Smith , freebsd-questions@freebsd.org Subject: Re: ipfw limit src-addr woes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Feb 2007 23:30:33 -0000 admin wrote: > > Wrong: the implied "check-state" done by the "limit" lets the connection > through (i.e. performs the action) iff there's state recorded for it > (src-addr+src-port+dst-addr+dst-port). If however it's a SYN packet > incoming and the number of current states is trying to cross the limit, > the SYN packet is implicitly dropped and the search terminates. > > This is not to say that I completely understand the things going on when > the connections start building up (different timeouts?) but the above > conclusion is based on what simulation has shown. The whole ruleset fits > on one screen, there's an "allow ip from any to any" in the end, so I'm > pretty sure I'm not crazy :-) One thing to keep in mind is that a 'check-state' rule works by effectively jumping to the rule that did the 'keep-state' and re-executing it.. (and incrementing its stats).