From owner-freebsd-questions@FreeBSD.ORG Mon Aug 2 16:32:48 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10AF916A4CE for ; Mon, 2 Aug 2004 16:32:48 +0000 (GMT) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id A68F243D60 for ; Mon, 2 Aug 2004 16:32:47 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta11.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040802163247.ZSMZ26966.mta11.adelphia.net@barbish>; Mon, 2 Aug 2004 12:32:47 -0400 From: "JJB" To: "Mark" , Date: Mon, 2 Aug 2004 12:32:46 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <200408021608.I72G81RM006022@asarian-host.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Subject: RE: One OR MORE of source and destination addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 16:32:48 -0000 Your rules are all wrong. You really need to reread the ipfw manual page info. Only one check-state rule is used. Your other check-state rule is never matched. Here is a rewrite of the FreeBSD handbook firewall section with examples that will answer your questions. www.a1poweruser.com/FBSD_firewall/ To get meaningful replies you have to post complete information about your system configuration with description of your overall firewall goals. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mark Sent: Monday, August 02, 2004 12:08 PM To: freebsd-questions@freebsd.org Subject: Re: One OR MORE of source and destination addresses? [my apologies for the resent; my last reply had an unfortunate wrap] Mark wrote: > Color me confused. The ipfw manual says: > > limit {src-addr | src-port | dst-addr | dst-port} N > The firewall will only allow N connections with the same set of > parameters as specified in the rule. One or more of source and > destination addresses and ports can be specified. > > If "One or more of source and destination addresses and ports can be > specified", then I'd like to limit both the total amount of > connections, as well as per-src. Something like this: > > ipfw check-state ipfw add allow tcp from any to me 25 setup limit > dst-addr 32 src-addr 8 > > The error I get is: > > "ipfw: only one of keep-state and limit is allowed" > > So, how can I specify "One OR MORE of source and destination > addresses" in the rule to achieve this effect? Thanks for your reply. JJB wrote: > Like the manual says, you can not code both options on single rule. > You have to make 2 rules out of it. > > state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 > state ipfw add allow tcp from any to me 25 setup limit src-addr 8 Actually, that is what I had already done: ipfw add 10 check-state ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 check-state ipfw add 13 allow tcp from any to me 25 setup limit src-addr 4 But it seems I never get to rule 12/13. All "ipfw show" shows, is activity on rule 10/11. That is why I figured I made an error somewhere. Does not rule 11, indeed, function as an 'early-out'? (undesired). Thanks, - Mark _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"