From owner-freebsd-ipfw@FreeBSD.ORG  Mon Mar 14 21:01:26 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2DF1516A4CE
	for <freebsd-ipfw@freebsd.org>; Mon, 14 Mar 2005 21:01:26 +0000 (GMT)
Received: from callahan.capri.pl (callahan.capri.pl [217.149.242.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 21AEB43D53
	for <freebsd-ipfw@freebsd.org>; Mon, 14 Mar 2005 21:01:25 +0000 (GMT)
	(envelope-from mk@capri.pl)
Received: from [192.168.1.2] (dsy186.neoplus.adsl.tpnet.pl [83.24.236.186])
	(authenticated bits=0)
	by callahan.capri.pl (8.13.3/8.13.3) with ESMTP id j2EL1KRL040724
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-ipfw@freebsd.org>; Mon, 14 Mar 2005 22:01:21 +0100 (CET)
	(envelope-from mk@cml.mfk.net.pl)
Message-ID: <4235FBA0.6050309@cml.mfk.net.pl>
Date: Mon, 14 Mar 2005 22:01:20 +0100
From: Michal Konieczny <mk@capri.pl>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041127)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Content-Transfer-Encoding: 7bit
Subject: limit src-addr passes more connections than prescribed
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2005 21:01:26 -0000

Hello,

Last time I had to limit number of connections to my www server for some 
static content, due to abusive use of download managers by some of the 
users.
So I've setup something like this:

ipfw add check-state
....
ipfw add allow tcp from any to a.b.c.d www in via fxp0 setup limit 
src-addr 5

Quite obvious, due to ipfw man page.
It works - some way, I can see no more 100+ connections from single ip 
address, but it's often more than 5 connections in ESTABLISHED state, 
from single ip address - from random checks I've seen up to 20+ such
connections. Order of magnitude better than previously without the 
limit, but something seems wrong here to me.
System in question is FreeBSD 5.3 cvsup'ed to lastest 5.3-STABLE (this 
is production stage machine).

Am I missing something, not configured it properly, maybe this has it's 
reasons ?

Best regards,

-- 
Michal Konieczny
mk@cml.mfk.net.pl