From owner-freebsd-questions@FreeBSD.ORG Sun Sep 14 13:48:31 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69BC616A4BF for ; Sun, 14 Sep 2003 13:48:31 -0700 (PDT) Received: from ecserv7.uwaterloo.ca (ecserv7.uwaterloo.ca [129.97.50.127]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F4C143F93 for ; Sun, 14 Sep 2003 13:48:28 -0700 (PDT) (envelope-from bruce@engmail.uwaterloo.ca) Received: from ecserv7.uwaterloo.ca (localhost.uwaterloo.ca [127.0.0.1]) h8EKmQjA040672 for ; Sun, 14 Sep 2003 16:48:26 -0400 (EDT) (envelope-from bruce@engmail.uwaterloo.ca) Received: (from www@localhost) by ecserv7.uwaterloo.ca (8.12.6p2/8.12.6/Submit) id h8EKmQJi040671 for freebsd-questions@freebsd.org; Sun, 14 Sep 2003 16:48:26 -0400 (EDT) (envelope-from bruce@engmail.uwaterloo.ca) X-Authentication-Warning: ecserv7.uwaterloo.ca: www set sender to bruce@engmail.uwaterloo.ca using -f Received: from 65.93.98.147 ( [65.93.98.147])HTTP; Sun, 14 Sep 2003 16:48:26 -0400 Message-ID: <1063572506.3f64d41a7e914@www.nexusmail.uwaterloo.ca> Date: Sun, 14 Sep 2003 16:48:26 -0400 From: Bruce Campbell To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 / FreeBSD-4.6.2 X-Originating-IP: 65.93.98.147 Subject: ipfw2 loss of feature ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2003 20:48:31 -0000 With ipfw1 on 4.8 I use this: ipfw add 10 check-state ipfw add 20 allow tcp from xxx.xxx.xxx.0/24 to any keep-state limit src-addr 10 to provide stateful firewalling, and limit the number of simultaneous tcp sessions to 10 per client. Seems to work great. On 4.8 I tried ipfw2 (kernel with options IPFW2 and rebuilt ipfw and libalias with -DIPFW2 as instructed in "man ipfw") When I tried ipfw2, as I wanted keepalives, I get an error when I run "ipfw" only one of keep-state and limit is allowed How can I do both the stateful firewalling and limit the simultaneous sessions, with ipfw2 ? Thanks ---- ps. As an aside, I also patch /usr/src/sys/netinet/ip_fw.c to be more verbose when it drops a session... --- ip_fw.c Sun Sep 14 15:33:16 2003 +++ ip_fw.old Sun Sep 14 15:31:10 2003 @@ -999,9 +999,7 @@ if (fw_verbose && last_log != time_second) { last_log = time_second; log(LOG_SECURITY | LOG_DEBUG, - "drop session 0x%08x %u -> 0x%08x %u, TOO many entries \n", - (args->f_id.src_ip), (args->f_id.src_port), - (args->f_id.dst_ip), (args->f_id.dst_port)); + "drop session, too many entries\n"); } return 1; } -- Bruce Campbell Engineering Computing CPH-2374B University of Waterloo (519)888-4567 ext 5889 ---------------------------------------- This mail sent through www.mywaterloo.ca