Date: Sun, 15 Apr 2007 22:06:37 +0200 From: Ivan Voras <ivoras@fer.hr> To: freebsd-net@freebsd.org Subject: ipfw, keep-state and limit Message-ID: <evu0kp$9u9$1@sea.gmane.org>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCB1FCD6F77C71134B5A6E896 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I think I need to start filtering based on simultaneous connections from source IP addresses because of some abuse that's apparently going on, so, as I'm already using ipfw, I tried this: # ipfw add 6079 allow tcp from any to me 80 setup keep-state limit src-addr 10 To which ipfw replied: ipfw: only one of keep-state andlimit is allowed (including the "andlimit" typo). What I'm trying to do makes sense to me (and seems straightforward to implement, at least semantically): allow connections to port 80 with dynamic keep-state rules for individual clients, but allow only 10 connections from the same address. Is this a limitation in ipfw? Any suggestions? This is a 6-STABLE PAE+SMP machine. --------------enigCB1FCD6F77C71134B5A6E896 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGIoXTldnAQVacBcgRAqwqAJ4hJg4vBpNLAtbKKGXA/1taY6P3NwCdG345 UTJqCHRrPc05rQqGNvQd/nM= =F42u -----END PGP SIGNATURE----- --------------enigCB1FCD6F77C71134B5A6E896--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?evu0kp$9u9$1>