From owner-freebsd-questions@FreeBSD.ORG Mon Aug 2 16:02:58 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 583A416A4CE for ; Mon, 2 Aug 2004 16:02:58 +0000 (GMT) Received: from mail.asarian-host.net (mail.asarian-host.net [194.109.160.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FFE143D5A for ; Mon, 2 Aug 2004 16:02:56 +0000 (GMT) SRS0=tq3Poi26=KY=asarian-host.net=admin@asarian-host.net) Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email accounts can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by mail.asarian-host.net (8.13.0/8.13.0) id i72G2rR2005717 for freebsd-questions@freebsd.org; Mon, 2 Aug 2004 18:02:53 +0200 (CEST) (envelope-from admin@asarian-host.net) From: Mark Received-SPF: pass (asarian-host.net: domain of admin@asarian-host.net designates sender IP as SASL permitted sender) Message-Id: <200408021602.I72G2Q41005706@asarian-host.net> Date: Mon, 02 Aug 2004 16:02:53 GMT X-Authenticated-Sender: admin@asarian-host.net X-Trace: ditPA1gt6dyBtVdcLGD8urpQWgqz8PcMJs/c83fjPpJSlJJDzH87os8otiYj4fmTxwTGPASzOStaEnAkxrUpXA== X-Complaints-To: abuse@asarian-host.net X-AutoFormat: yes X-Abuse-Info: Please be sure to forward a copy of ALL headers, otherwise we are unable to process your complaint Organization: Asarian-host To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Auth: Asarian-host PGP signature iQEVAwUAQQ5lrTFqW1BleBN9AQFL1ggAkSY9ZKgR/O0BgYSAqhxdwfY6y+giqiYr aYm+jadEXY8/iWs38lJ7WDr0Cy5gq6ReFJpwjRLthTJ1RkFbt0Gif/OiT+aPg6ER LvgyrHkD0yeKeC27wHqTCoi9YtYgsgCjvmxUPqLHiwbMKzPV++J365wq2ke/Ndmm 3/M1RAe8r/taelCHN+2tq/u/gassxuSH6I7lPB0R7HjV9wrXklMOaegSDGCKEzdu gwjQFDlAeTZwk80EkB6dxSEIcg7n/325MeUSQEmil8l48R7dVL0vjPXUKOvm/bye vLE8EvbY4WHKjrX5STP55n5ymN/6EaH3/yIIOa00VHvA0xVpBe5teA== =WRhV Subject: Re: One OR MORE of source and destination addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 16:02:58 -0000 Mark wrote: > Color me confused. The ipfw manual says: > > limit {src-addr | src-port | dst-addr | dst-port} N > The firewall will only allow N connections with the same set of > parameters as specified in the rule. One or more of source and > destination addresses and ports can be specified. > > If "One or more of source and destination addresses and ports can be > specified", then I'd like to limit both the total amount of > connections, as well as per-src. Something like this: > > ipfw check-state ipfw add allow tcp from any to me 25 setup limit dst-addr > 32 src-addr 8 > > The error I get is: > > "ipfw: only one of keep-state and limit is allowed" > > So, how can I specify "One OR MORE of source and destination > addresses" in the rule to achieve this effect? Thanks for your reply. JJB wrote: > Like the manual says, you can not code both options on single rule. You > have to make 2 rules out of it. > > state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 > state ipfw add allow tcp from any to me 25 setup limit src-addr 8 Actually, that is what I had already done: ipfw add 10 check-state ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 check-state ipfw add 13 allow tcp from any to me 25 setup limit src-addr 4 But it seems I never get to rule 12/13. All "ipfw show" shows, is activity on rule 10/11. That is why I figured I made an error somewhere. Does not rule 11, indeed, function as an 'early-out'? (undesired). Thanks, - Mark