Date: Sat, 17 Aug 2002 13:10:03 -0700 (PDT) From: Josh Paetzel <friar_josh@webwarrior.net> To: freebsd-doc@FreeBSD.org Subject: Re:docs/36642 (4.5 man page on ipfw new option limit is way to vague.) Message-ID: <200208172010.g7HKA339078102@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/36642; it has been noted by GNATS. From: Josh Paetzel <friar_josh@webwarrior.net> To: freebsd-gnats-submit@freebsd.org Cc: barbish@poweruser.com Subject: Re:docs/36642 (4.5 man page on ipfw new option limit is way to vague.) Date: 17 Aug 2002 14:58:43 +0000 <I find this verbiage hard to comprehend what the author is trying to <say. <using this example <ipfw add allow tcp from any to me setup limit src-addr 4 <Is it saying that for each unique ip address in the src ip <address field it will allow up to 4 simultaneous connections. Look at the example in the man page: The latter can be placed on a server to make sure that a single client does not use more than 4 simultaneous connections. >So I would see >src_ip_addr 122.33.45.11 accept >src_ip_addr 122.33.45.12 accept >src_ip_addr 122.33.45.12 accept >src_ip_addr 122.33.45.11 accept >src_ip_addr 122.33.45.11 accept >src_ip_addr 122.33.45.12 accept >src_ip_addr 122.33.45.12 accept >src_ip_addr 122.33.45.11 accept >src_ip_addr 122.33.45.11 rejected >or would I see >src_ip_addr 122.33.45.11 accept >src_ip_addr 122.33.45.12 accept >src_ip_addr 122.33.45.12 accept >src_ip_addr 122.33.45.11 accept >src_ip_addr 122.33.45.11 rejected >src_ip_addr 122.33.45.12 rejected >src_ip_addr 122.33.45.12 rejected >src_ip_addr 122.33.45.11 rejected >src_ip_addr 122.33.45.11 rejected Well, according to the example in the man page, you would see what's behind door number 1. >How does Limit know when a packet has completed so as the remove it >from the count? One would assume that it uses a process similar or identical to natd. It keeps a table of active connections. >The real question is what is the limit option really doing and >how does he do it? Limit is allowing ipfw a new way to tune their networks reaction under load, and/or allowing administrators more granularity in their filtering, (e.g. We only want 4 of our techs using irc at any one time.) I don't agree that a man page should explain every little detail about it's inner workings. There are plenty of binaries that have been around for years with less documentation than this. I recommend we close this pr out. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208172010.g7HKA339078102>