From owner-freebsd-net@FreeBSD.ORG  Sun Apr 15 20:07:06 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C436B16A400
	for <freebsd-net@freebsd.org>; Sun, 15 Apr 2007 20:07:06 +0000 (UTC)
	(envelope-from freebsd-net@m.gmane.org)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 817E313C487
	for <freebsd-net@freebsd.org>; Sun, 15 Apr 2007 20:07:06 +0000 (UTC)
	(envelope-from freebsd-net@m.gmane.org)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1HdAzx-0007Nt-TZ
	for freebsd-net@freebsd.org; Sun, 15 Apr 2007 22:06:57 +0200
Received: from 83-131-166-8.adsl.net.t-com.hr ([83.131.166.8])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-net@freebsd.org>; Sun, 15 Apr 2007 22:06:57 +0200
Received: from ivoras by 83-131-166-8.adsl.net.t-com.hr with local (Gmexim 0.1
	(Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-net@freebsd.org>; Sun, 15 Apr 2007 22:06:57 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-net@freebsd.org
From: Ivan Voras <ivoras@fer.hr>
Date: Sun, 15 Apr 2007 22:06:37 +0200
Lines: 43
Message-ID: <evu0kp$9u9$1@sea.gmane.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigCB1FCD6F77C71134B5A6E896"
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 83-131-166-8.adsl.net.t-com.hr
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
X-Enigmail-Version: 0.94.3.0
Sender: news <news@sea.gmane.org>
Subject: ipfw, keep-state and limit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Apr 2007 20:07:06 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCB1FCD6F77C71134B5A6E896
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I think I need to start filtering based on simultaneous connections from
source IP addresses because of some abuse that's apparently going on,
so, as I'm already using ipfw, I tried this:

# ipfw add 6079 allow tcp from any to me 80 setup keep-state limit
src-addr 10

To which ipfw replied:

ipfw: only one of keep-state andlimit is allowed

(including the "andlimit" typo).

What I'm trying to do makes sense to me (and seems straightforward to
implement, at least semantically): allow connections to port 80 with
dynamic keep-state rules for individual clients, but allow only 10
connections from the same address. Is this a limitation in ipfw? Any
suggestions?

This is a 6-STABLE PAE+SMP machine.



--------------enigCB1FCD6F77C71134B5A6E896
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGIoXTldnAQVacBcgRAqwqAJ4hJg4vBpNLAtbKKGXA/1taY6P3NwCdG345
UTJqCHRrPc05rQqGNvQd/nM=
=F42u
-----END PGP SIGNATURE-----

--------------enigCB1FCD6F77C71134B5A6E896--