Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Apr 2007 15:44:00 +0200
From:      Ivan Voras <ivoras@fer.hr>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw, keep-state and limit
Message-ID:  <46237DA0.6060002@fer.hr>
In-Reply-To: <20070415150050.C39338@xorpc.icir.org>
References:  <evu0kp$9u9$1@sea.gmane.org> <20070415144922.A39338@xorpc.icir.org>	<evu6sg$q2i$1@sea.gmane.org> <20070415150050.C39338@xorpc.icir.org>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigECDAF43EE64387902E0D0E1C
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Luigi Rizzo wrote:
>>> if i remember well (the implementation dates back to 2001 or so)
>>> you just need to use "limit", as it implicitly installs
>>> a dynamic state entry (same as keep-state).

My new rule is:
06079    376036    286721568 allow tcp from any to me dst-port 80 setup=20
limit src-addr 15

And now ipfw -d show displays (among others):

06079         0            0 (0s) PARENT 2 tcp xx.53.98.13 0 <-> 0.0.0.0 =
0
06079         0            0 (0s) PARENT 1 tcp xx.29.147.17 0 <-> 0.0.0.0=
 0
06079         0            0 (0s) PARENT 5 tcp xx.29.242.18 0 <-> 0.0.0.0=
 0
06079         0            0 (0s) PARENT 0 tcp xx.53.68.19 0 <-> 0.0.0.0 =
0
06079         0            0 (0s) PARENT 1 tcp xx.53.18.22 0 <-> 0.0.0.0 =
0
06079         0            0 (8s) PARENT 1 tcp xx.55.213.39 0 <-> 0.0.0.0=
 0
06079         0            0 (6s) PARENT 1 tcp xx.53.76.41 0 <-> 0.0.0.0 =
0
06079         0            0 (0s) PARENT 0 tcp xx.164.34.41 0 <-> 0.0.0.0=
 0

I assume 0s in this case is good, and "PARENT n" means n connections=20
from the client?

I've also got some dynamic rules referencing LIMIT on the same rule #:
06079      1471      1211349 (300s) LIMIT tcp xx.198.150.143 1507 <->=20
my.ip.ad.dr 80
06079      1243       988046 (300s) LIMIT tcp xx.198.150.143 1508 <->=20
my.ip.ad.dr 80
06079        25        15740 (299s) LIMIT tcp xx.53.74.51 1368 <->=20
my.ip.ad.dr 80
06079         7         1392 (223s) LIMIT tcp xx.254.251.10 3168 <->=20
my.ip.ad.dr 80

These are the individual connections, right?


--------------enigECDAF43EE64387902E0D0E1C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGI32gldnAQVacBcgRAv8nAKCoDp30/eS+BA/GFYSfbZoCd+J1oACg1zf3
IM92K315AsQo2G4V9tx0j/w=
=hrmA
-----END PGP SIGNATURE-----

--------------enigECDAF43EE64387902E0D0E1C--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46237DA0.6060002>