From owner-freebsd-stable  Thu Feb  7  0:45:39 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80])
	by hub.freebsd.org (Postfix) with ESMTP id 1531837B422
	for <stable@freebsd.org>; Thu,  7 Feb 2002 00:45:33 -0800 (PST)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.11.6/8.11.6) id g178jTx93009
	for stable@freebsd.org; Thu, 7 Feb 2002 15:45:29 +0700 (KRAT)
	(envelope-from eugen)
Date: Thu, 7 Feb 2002 15:45:29 +0700
From: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
To: stable@freebsd.org
Subject: ipfw limit option
Message-ID: <20020207154529.A92095@svzserv.kemerovo.su>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Hi!

I'm trying to utilize ipfw limit option with 4.5-STABLE.
Till now I had stateless ipfw configuration that worked fine.

Now I need to limit one of my TCP services with only 5 sessions 
per IP. The service itself has global limit of 50 simultaneous
connections but cannot limit the number of connections per IP.
And it is abused.

I have following rules for the service bound to TCP port 8888:

$fwcmd add 60130 pipe 3 tcp from $my_ip 8888 to any # for traffic shaping
$fwcmd add 60135 allow tcp from any to $my_ip 8888 

Now I changed rule 60135 to
$fwcmd add 60135 allow tcp from any to $my_ip 8888 limit src-addr 5

This work basically, but:

1. Sometimes I see 8 connections per 1 ip, 6 are ESTABLESHED and 
   2 are CLOSE_WAIT. That does not bothers me too much but it shows:
   that code is not very exact.

2. The kernel fills my logs and console with TONS of messages:

Feb  7 15:11:32 <kern.crit> www /kernel: OUCH! cannot remove rule, count 2
Feb  7 15:11:32 <kern.crit> www /kernel: drop session, too many entries
Feb  7 15:11:32 <kern.crit> www last message repeated 3 times
Feb  7 15:11:33 <kern.crit> www /kernel: OUCH! cannot remove rule, count 2
Feb  7 15:11:33 <kern.crit> www /kernel: drop session, too many entries
Feb  7 15:11:34 <kern.crit> www last message repeated 80 times

And so on. That's not what I expect to receive. How can 'drop session'
messages be silenced? And what do 'OUCH!' messages mean?

Eugene Grosbein

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message