From owner-freebsd-hackers  Fri Jun 21  0:35:24 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from iguana.icir.org (iguana.icir.org [192.150.187.36])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5B2D437B400; Fri, 21 Jun 2002 00:35:20 -0700 (PDT)
Received: (from rizzo@localhost)
	by iguana.icir.org (8.11.6/8.11.3) id g5L7ZJ977130;
	Fri, 21 Jun 2002 00:35:19 -0700 (PDT)
	(envelope-from rizzo)
Date: Fri, 21 Jun 2002 00:35:18 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: Terry Lambert <tlambert2@mindspring.com>
Cc: Giorgos Keramidas <keramida@FreeBSD.ORG>, hackers@FreeBSD.ORG
Subject: Re: Limiting clients per source IP address (ftpd, inetd, etc.)
Message-ID: <20020621003518.A77089@iguana.icir.org>
References: <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com> <20020620222032.A73450@iguana.icir.org> <3D12CE82.C6761D96@mindspring.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <3D12CE82.C6761D96@mindspring.com>; from tlambert2@mindspring.com on Thu, Jun 20, 2002 at 11:58:10PM -0700
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Thu, Jun 20, 2002 at 11:58:10PM -0700, Terry Lambert wrote:
...
> > in fact there is an ipfw rule which does just this:
> > 
> >         ipfw add allow ip from any to any limit src-addr 5
> > 
> > and here you go...
> 
> Can this be done per port?  THis is what both the FTP and the inetd
> modification movements have been about...

      ipfw add allow ip from any to any limit src-addr src-port 5

(you can select a subset of the src-addr src-port dst-addr dst-port
as the match mask to determine if connections belong to
the same group. With the new ipfw code that i have posted it
should be trivial to extend the match mask to use real
bitmasks (so you can limit per-subnet, per port ranges, etc etc.)

BTW in terms of implementation efficiency: this limit thing
uses the same hash table used by dynamic ipfw rules.
There is currently an (arbitrary) limit of a total of 1000
dynamic entries in the table, but no reason not to raise it
much higher if you have memory.

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message