Date: Sun, 14 Sep 2003 16:48:26 -0400 From: Bruce Campbell <bruce@engmail.uwaterloo.ca> To: freebsd-questions@freebsd.org Subject: ipfw2 loss of feature ? Message-ID: <1063572506.3f64d41a7e914@www.nexusmail.uwaterloo.ca>
next in thread | raw e-mail | index | archive | help
With ipfw1 on 4.8 I use this:
ipfw add 10 check-state
ipfw add 20 allow tcp from xxx.xxx.xxx.0/24 to any keep-state limit src-addr 10
to provide stateful firewalling, and limit the number of simultaneous
tcp sessions to 10 per client. Seems to work great.
On 4.8 I tried ipfw2
(kernel with options IPFW2 and rebuilt ipfw and libalias with -DIPFW2
as instructed in "man ipfw")
When I tried ipfw2, as I wanted keepalives, I get an error
when I run "ipfw"
only one of keep-state and limit is allowed
How can I do both the stateful firewalling and limit
the simultaneous sessions, with ipfw2 ?
Thanks
----
ps. As an aside, I also patch /usr/src/sys/netinet/ip_fw.c to
be more verbose when it drops a session...
--- ip_fw.c Sun Sep 14 15:33:16 2003
+++ ip_fw.old Sun Sep 14 15:31:10 2003
@@ -999,9 +999,7 @@
if (fw_verbose && last_log != time_second) {
last_log = time_second;
log(LOG_SECURITY | LOG_DEBUG,
- "drop session 0x%08x %u -> 0x%08x %u, TOO many entries
\n",
- (args->f_id.src_ip), (args->f_id.src_port),
- (args->f_id.dst_ip), (args->f_id.dst_port));
+ "drop session, too many entries\n");
}
return 1;
}
--
Bruce Campbell
Engineering Computing
CPH-2374B
University of Waterloo
(519)888-4567 ext 5889
----------------------------------------
This mail sent through www.mywaterloo.ca
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1063572506.3f64d41a7e914>