From owner-freebsd-questions@FreeBSD.ORG Sun Sep 14 16:00:52 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 347D816A4BF for ; Sun, 14 Sep 2003 16:00:52 -0700 (PDT) Received: from ecserv7.uwaterloo.ca (ecserv7.uwaterloo.ca [129.97.50.127]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B39743FA3 for ; Sun, 14 Sep 2003 16:00:48 -0700 (PDT) (envelope-from bruce@engmail.uwaterloo.ca) Received: from ecserv7.uwaterloo.ca (localhost.uwaterloo.ca [127.0.0.1]) h8EN0ljA044753; Sun, 14 Sep 2003 19:00:47 -0400 (EDT) (envelope-from bruce@engmail.uwaterloo.ca) Received: (from www@localhost) by ecserv7.uwaterloo.ca (8.12.6p2/8.12.6/Submit) id h8EN0ll3044752; Sun, 14 Sep 2003 19:00:47 -0400 (EDT) (envelope-from bruce@engmail.uwaterloo.ca) X-Authentication-Warning: ecserv7.uwaterloo.ca: www set sender to bruce@engmail.uwaterloo.ca using -f Received: from 65.93.98.147 ( [65.93.98.147])HTTP; Sun, 14 Sep 2003 19:00:47 -0400 Message-ID: <1063580447.3f64f31f3064f@www.nexusmail.uwaterloo.ca> Date: Sun, 14 Sep 2003 19:00:47 -0400 From: Bruce Campbell To: Bruce Campbell References: <1063572506.3f64d41a7e914@www.nexusmail.uwaterloo.ca> In-Reply-To: <1063572506.3f64d41a7e914@www.nexusmail.uwaterloo.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 / FreeBSD-4.6.2 X-Originating-IP: 65.93.98.147 cc: freebsd-questions@freebsd.org Subject: Re: ipfw2 loss of feature ? -- never mind... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2003 23:00:52 -0000 Quoting Bruce Campbell : > > > With ipfw1 on 4.8 I use this: > > ipfw add 10 check-state > ipfw add 20 allow tcp from xxx.xxx.xxx.0/24 to any keep-state limit src-addr 10 > > to provide stateful firewalling, and limit the number of simultaneous > tcp sessions to 10 per client. Seems to work great. > > On 4.8 I tried ipfw2 > > (kernel with options IPFW2 and rebuilt ipfw and libalias with -DIPFW2 > as instructed in "man ipfw") > > When I tried ipfw2, as I wanted keepalives, I get an error > when I run "ipfw" > > only one of keep-state and limit is allowed > > How can I do both the stateful firewalling and limit > the simultaneous sessions, with ipfw2 ? doh, this works as expected (without the "keep-state" statement)... ipfw add 20 allow tcp from me to any limit src-addr 2 and does the stateful stuff. Just a syntax nuance between ipfw1 and ipfw2. > > Thanks > > ---- > > ps. As an aside, I also patch /usr/src/sys/netinet/ip_fw.c to > be more verbose when it drops a session... > > --- ip_fw.c Sun Sep 14 15:33:16 2003 > +++ ip_fw.old Sun Sep 14 15:31:10 2003 > @@ -999,9 +999,7 @@ > if (fw_verbose && last_log != time_second) { > last_log = time_second; > log(LOG_SECURITY | LOG_DEBUG, > - "drop session 0x%08x %u -> 0x%08x %u, TOO many entries > \n", > - (args->f_id.src_ip), (args->f_id.src_port), > - (args->f_id.dst_ip), (args->f_id.dst_port)); > + "drop session, too many entries\n"); > } > return 1; > } > > > -- > Bruce Campbell > Engineering Computing > CPH-2374B > University of Waterloo > (519)888-4567 ext 5889 > > ---------------------------------------- > This mail sent through www.mywaterloo.ca > -- Bruce Campbell Engineering Computing CPH-2374B University of Waterloo (519)888-4567 ext 5889 ---------------------------------------- This mail sent through www.mywaterloo.ca