Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 30 Mar 2002 11:49:12 -0500
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "FBSDQ" <questions@FreeBSD.ORG>
Subject:   FBSD 4.5  ipfw new option limit
Message-ID:  <LPBBIGIAAKKEOEJOLEGOOEJECMAA.barbish@a1poweruser.com>
next in thread | raw e-mail | index | archive | help 
In FBSD version 4.5 there is a new ipfw rule option called limit.
Below is the man page on this option.

*******************************************************************
limit {src-addr | src-port | dst-addr | dst-port} N
    The firewall will only allow N connections with the same
    set of parameters as specified in the rule.  One or more
    of source and destination addresses and ports can be
    specified.

To limit the number of connections a user can open you can use the
following type of rules:

  ipfw add allow tcp from my-net/24 to any setup limit src-addr 10
  ipfw add allow tcp from any to me setup limit src-addr 4

The former (assuming it runs on a gateway) will allow each host on a /24
network to open at most 10 TCP connections.  The latter can be placed on
a server to make sure that a single client does not use more than 4
simultaneous connections.
*******************************************************************

I find this verbiage hard to comprehend what the author is trying to say.
using this example

ipfw add allow tcp from any to me setup limit src-addr 4

Is it saying that for each unique ip address in the src ip
address field it will allow up to 4 simultaneous connections.
So I would see

src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.11  rejected

or would I see

src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.11  rejected
src_ip_addr 122.33.45.12  rejected
src_ip_addr 122.33.45.12  rejected
src_ip_addr 122.33.45.11  rejected
src_ip_addr 122.33.45.11  rejected

How does Limit know when a packet has completed so as the remove it from the
count?

I guess the real question is what is the limit option really doing and how
does he do it?






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOOEJECMAA.barbish>