Date: Sat, 17 Aug 2002 13:10:03 -0700 (PDT) From: Josh Paetzel <friar_josh@webwarrior.net> To: freebsd-doc@FreeBSD.org Subject: Re:docs/36642 (4.5 man page on ipfw new option limit is way to vague.) Message-ID: <200208172010.g7HKA339078102@freefall.freebsd.org>
index | next in thread | raw e-mail
The following reply was made to PR docs/36642; it has been noted by GNATS.
From: Josh Paetzel <friar_josh@webwarrior.net>
To: freebsd-gnats-submit@freebsd.org
Cc: barbish@poweruser.com
Subject: Re:docs/36642 (4.5 man page on ipfw new option limit is way to
vague.)
Date: 17 Aug 2002 14:58:43 +0000
<I find this verbiage hard to comprehend what the author is trying to
<say.
<using this example
<ipfw add allow tcp from any to me setup limit src-addr 4
<Is it saying that for each unique ip address in the src ip
<address field it will allow up to 4 simultaneous connections.
Look at the example in the man page:
The latter can be placed on a server to make sure that a single client
does not use more than 4 simultaneous connections.
>So I would see
>src_ip_addr 122.33.45.11 accept
>src_ip_addr 122.33.45.12 accept
>src_ip_addr 122.33.45.12 accept
>src_ip_addr 122.33.45.11 accept
>src_ip_addr 122.33.45.11 accept
>src_ip_addr 122.33.45.12 accept
>src_ip_addr 122.33.45.12 accept
>src_ip_addr 122.33.45.11 accept
>src_ip_addr 122.33.45.11 rejected
>or would I see
>src_ip_addr 122.33.45.11 accept
>src_ip_addr 122.33.45.12 accept
>src_ip_addr 122.33.45.12 accept
>src_ip_addr 122.33.45.11 accept
>src_ip_addr 122.33.45.11 rejected
>src_ip_addr 122.33.45.12 rejected
>src_ip_addr 122.33.45.12 rejected
>src_ip_addr 122.33.45.11 rejected
>src_ip_addr 122.33.45.11 rejected
Well, according to the example in the man page, you would see what's
behind door number 1.
>How does Limit know when a packet has completed so as the remove it
>from the count?
One would assume that it uses a process similar or identical to natd.
It keeps a table of active connections.
>The real question is what is the limit option really doing and
>how does he do it?
Limit is allowing ipfw a new way to tune their networks reaction under
load, and/or allowing administrators more granularity in their
filtering, (e.g. We only want 4 of our techs using irc at any one time.)
I don't agree that a man page should explain every little detail about
it's inner workings. There are plenty of binaries that have been around
for years with less documentation than this.
I recommend we close this pr out.
Josh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208172010.g7HKA339078102>