From owner-freebsd-questions@FreeBSD.ORG  Sat Feb 17 20:30:10 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 29E5016A406
	for <freebsd-questions@freebsd.org>;
	Sat, 17 Feb 2007 20:30:10 +0000 (UTC) (envelope-from admin@azuni.net)
Received: from mail.azuni.net (ns0.azuni.net [217.25.25.3])
	by mx1.freebsd.org (Postfix) with ESMTP id 238C913C494
	for <freebsd-questions@freebsd.org>;
	Sat, 17 Feb 2007 20:30:08 +0000 (UTC) (envelope-from admin@azuni.net)
Received: (qmail 11283 invoked by uid 1004); 17 Feb 2007 20:03:26 -0000
Received: from admin@azuni.net by mail.azuni.net by uid 89 with
	qmail-scanner-1.20 
	(clamscan: 0.65. spamassassin: 2.63.  Clear:RC:1(217.25.23.9):. 
	Processed in 0.019759 secs); 17 Feb 2007 20:03:26 -0000
Received: from unknown (HELO ?217.25.23.9?) (217.25.23.9)
	by ns0.azuni.net with AES256-SHA encrypted SMTP;
	17 Feb 2007 20:03:26 -0000
Message-ID: <45D75F87.6050908@azuni.net>
Date: Sun, 18 Feb 2007 00:03:19 +0400
From: admin <admin@azuni.net>
Organization: UniNet
User-Agent: Debian Thunderbird 1.0.2 (X11/20070113)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org,  freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: ipfw limit src-addr woes
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Feb 2007 20:30:10 -0000

Hi, I'm trying to use ipfw's limit clause to limit the number of 
connections a single IP can have at the same time in a transparent 
web-proxy environment:

00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port 
80 in via if0 setup limit src-addr 10
00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
... the rest fwd...

the problem is that the src-addr limit is not enforced for some nasty 
clients that open a huge number (3-5 times the prescribed value) of 
www-connections to some single address Out There, forcing you to bump up 
certain sysctl variables (such as kern.ipc.nmbclusters, 
kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be 
going on? Is ipfw broken, or am I misusing it?

OS: FreeBSD 6.2