From owner-freebsd-questions@FreeBSD.ORG Mon Aug 2 18:16:04 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9D3C16A4E8 for ; Mon, 2 Aug 2004 18:16:04 +0000 (GMT) Received: from mail.asarian-host.net (mail.asarian-host.net [194.109.160.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id F06E143D41 for ; Mon, 2 Aug 2004 18:16:03 +0000 (GMT) SRS0=tq3Poi26=KY=asarian-host.net=admin@asarian-host.net) Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email accounts can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by mail.asarian-host.net (8.13.0/8.13.0) id i72IFoXp020353 for freebsd-questions@freebsd.org; Mon, 2 Aug 2004 20:15:50 +0200 (CEST) (envelope-from admin@asarian-host.net) From: Mark Received-SPF: pass (asarian-host.net: domain of admin@asarian-host.net designates sender IP as SASL permitted sender) Message-Id: <200408021815.I72IFNIC020343@asarian-host.net> Date: Mon, 02 Aug 2004 18:15:49 GMT X-Authenticated-Sender: admin@asarian-host.net X-Trace: gNxBzk5BnMEYk+0jvLMMpoVDMe8fMNAqjiZTP+xtz4/Z0NDHdxpRfrZA8Ryt5AFOtC20Oc8RdT3zPXJ06XkFuQ== X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers, otherwise we are unable to process your complaint Organization: Asarian-host To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Auth: Asarian-host PGP signature iQEVAwUAQQ6E1jFqW1BleBN9AQHARgf/QZ6xTQ8rSYORdmKNEKKD5O1fts9D41ZS EcdqWuP+qO5wHGv2G407pICXNgQII1Kn+mpsFieORzcfLlydn6tlcXgSzNOv089h /N7M5e4y5kxHWKXumuUGb/Sl5ZAu0QHXz3ZDSwPkdt++iVkdzybAbIYlCMNiSBLW 3Liw++7Nc4+xVWD1RcXKul2j1TO0GisEehucpiWA/P2d5bvO7k7HlOp/j6wIp4mv ZSAE6k9OE+YxMq9dtfpZjVtIwntMabTku3nUAejhIbMSSUoyi+j+7Z0g5Y4pgWHO 1zwjmwc1QrGzJ6dan7Z/1zDq4RGDKUHJjeDiSu4lK3+ZJGu/W+NPzQ== =wU4H Subject: Re: One OR MORE of source and destination addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 18:16:04 -0000 JJB wrote: > Your rules are all wrong. You really need to reread the ipfw manual > page info. Only one check-state rule is used. Your other check-state > rule is never matched. Ok, I got a check-state too many. > To get meaningful replies you have to post complete information > about your system configuration with description of your overall > firewall goals. The goal is simple: I want to limit connections to port 25 to 32 in total, targeted at "me". And of those 32, only 4 per source. Like so: ipfw add 1 check-state ... ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Please, tell me then how "all wrong" this is. Because I *still* get the impression that rule 12 is never reached. And, so far, "ipfw show" does, indeed, only show activity on rule 11. Thanks, - Mark