From owner-freebsd-questions@FreeBSD.ORG Sat Feb 17 20:30:10 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 29E5016A406 for ; Sat, 17 Feb 2007 20:30:10 +0000 (UTC) (envelope-from admin@azuni.net) Received: from mail.azuni.net (ns0.azuni.net [217.25.25.3]) by mx1.freebsd.org (Postfix) with ESMTP id 238C913C494 for ; Sat, 17 Feb 2007 20:30:08 +0000 (UTC) (envelope-from admin@azuni.net) Received: (qmail 11283 invoked by uid 1004); 17 Feb 2007 20:03:26 -0000 Received: from admin@azuni.net by mail.azuni.net by uid 89 with qmail-scanner-1.20 (clamscan: 0.65. spamassassin: 2.63. Clear:RC:1(217.25.23.9):. Processed in 0.019759 secs); 17 Feb 2007 20:03:26 -0000 Received: from unknown (HELO ?217.25.23.9?) (217.25.23.9) by ns0.azuni.net with AES256-SHA encrypted SMTP; 17 Feb 2007 20:03:26 -0000 Message-ID: <45D75F87.6050908@azuni.net> Date: Sun, 18 Feb 2007 00:03:19 +0400 From: admin Organization: UniNet User-Agent: Debian Thunderbird 1.0.2 (X11/20070113) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: ipfw limit src-addr woes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Feb 2007 20:30:10 -0000 Hi, I'm trying to use ipfw's limit clause to limit the number of connections a single IP can have at the same time in a transparent web-proxy environment: 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port 80 in via if0 setup limit src-addr 10 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80 ... the rest fwd... the problem is that the src-addr limit is not enforced for some nasty clients that open a huge number (3-5 times the prescribed value) of www-connections to some single address Out There, forcing you to bump up certain sysctl variables (such as kern.ipc.nmbclusters, kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be going on? Is ipfw broken, or am I misusing it? OS: FreeBSD 6.2