Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Apr 2007 15:44:00 +0200
From:      Ivan Voras <ivoras@fer.hr>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw, keep-state and limit
Message-ID:  <46237DA0.6060002@fer.hr>
In-Reply-To: <20070415150050.C39338@xorpc.icir.org>
References:  <evu0kp$9u9$1@sea.gmane.org> <20070415144922.A39338@xorpc.icir.org>	<evu6sg$q2i$1@sea.gmane.org> <20070415150050.C39338@xorpc.icir.org>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
Luigi Rizzo wrote:
>>> if i remember well (the implementation dates back to 2001 or so)
>>> you just need to use "limit", as it implicitly installs
>>> a dynamic state entry (same as keep-state).

My new rule is:
06079    376036    286721568 allow tcp from any to me dst-port 80 setup 
limit src-addr 15

And now ipfw -d show displays (among others):

06079         0            0 (0s) PARENT 2 tcp xx.53.98.13 0 <-> 0.0.0.0 0
06079         0            0 (0s) PARENT 1 tcp xx.29.147.17 0 <-> 0.0.0.0 0
06079         0            0 (0s) PARENT 5 tcp xx.29.242.18 0 <-> 0.0.0.0 0
06079         0            0 (0s) PARENT 0 tcp xx.53.68.19 0 <-> 0.0.0.0 0
06079         0            0 (0s) PARENT 1 tcp xx.53.18.22 0 <-> 0.0.0.0 0
06079         0            0 (8s) PARENT 1 tcp xx.55.213.39 0 <-> 0.0.0.0 0
06079         0            0 (6s) PARENT 1 tcp xx.53.76.41 0 <-> 0.0.0.0 0
06079         0            0 (0s) PARENT 0 tcp xx.164.34.41 0 <-> 0.0.0.0 0

I assume 0s in this case is good, and "PARENT n" means n connections 
from the client?

I've also got some dynamic rules referencing LIMIT on the same rule #:
06079      1471      1211349 (300s) LIMIT tcp xx.198.150.143 1507 <-> 
my.ip.ad.dr 80
06079      1243       988046 (300s) LIMIT tcp xx.198.150.143 1508 <-> 
my.ip.ad.dr 80
06079        25        15740 (299s) LIMIT tcp xx.53.74.51 1368 <-> 
my.ip.ad.dr 80
06079         7         1392 (223s) LIMIT tcp xx.254.251.10 3168 <-> 
my.ip.ad.dr 80

These are the individual connections, right?


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGI32gldnAQVacBcgRAv8nAKCoDp30/eS+BA/GFYSfbZoCd+J1oACg1zf3
IM92K315AsQo2G4V9tx0j/w=
=hrmA
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46237DA0.6060002>