Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 14 Sep 2003 19:00:47 -0400
From:      Bruce Campbell <bruce@engmail.uwaterloo.ca>
To:        Bruce Campbell <bruce@engmail.uwaterloo.ca>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfw2 loss of feature ? -- never mind...
Message-ID:  <1063580447.3f64f31f3064f@www.nexusmail.uwaterloo.ca>
In-Reply-To: <1063572506.3f64d41a7e914@www.nexusmail.uwaterloo.ca>
References:  <1063572506.3f64d41a7e914@www.nexusmail.uwaterloo.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
Quoting Bruce Campbell <bruce@engmail.uwaterloo.ca>:
> 
> 
> With ipfw1 on 4.8 I use this:
> 
> ipfw add 10 check-state
> ipfw add 20 allow tcp from xxx.xxx.xxx.0/24 to any keep-state limit src-addr 10
> 
> to provide stateful firewalling, and limit the number of simultaneous
> tcp sessions to 10 per client.  Seems to work great.
> 
> On 4.8 I tried ipfw2
> 
> (kernel with options IPFW2 and rebuilt ipfw and libalias with -DIPFW2
> as instructed in "man ipfw")
> 
> When I tried ipfw2, as I wanted keepalives, I get an error
> when I run "ipfw"
> 
>   only one of keep-state and limit is allowed
> 
> How can I do both the stateful firewalling and limit
> the simultaneous sessions, with ipfw2 ?

doh, this works as expected (without the "keep-state" statement)...

ipfw add 20 allow tcp from me to any limit src-addr 2

and does the stateful stuff.  Just a syntax nuance between
ipfw1 and ipfw2.

> 
> Thanks
> 
> ----
> 
> ps. As an aside,  I also patch /usr/src/sys/netinet/ip_fw.c to
> be more verbose when it drops a session...
> 
> --- ip_fw.c     Sun Sep 14 15:33:16 2003
> +++ ip_fw.old   Sun Sep 14 15:31:10 2003
> @@ -999,9 +999,7 @@
>                 if (fw_verbose && last_log != time_second) {
>                         last_log = time_second;
>                         log(LOG_SECURITY | LOG_DEBUG,
> -                           "drop session 0x%08x %u -> 0x%08x %u, TOO many entries
> \n",
> -                      (args->f_id.src_ip), (args->f_id.src_port),
> -       (args->f_id.dst_ip), (args->f_id.dst_port));
> +                           "drop session, too many entries\n");
>                 }
>                 return 1;
>             }
> 
> 
> -- 
> Bruce Campbell
> Engineering Computing
> CPH-2374B
> University of Waterloo
> (519)888-4567 ext 5889
> 
> ----------------------------------------
> This mail sent through www.mywaterloo.ca
> 


-- 
Bruce Campbell
Engineering Computing
CPH-2374B
University of Waterloo
(519)888-4567 ext 5889

----------------------------------------
This mail sent through www.mywaterloo.ca

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1063580447.3f64f31f3064f>