From owner-freebsd-net@FreeBSD.ORG Mon Apr 16 13:44:05 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1833516A420 for ; Mon, 16 Apr 2007 13:44:05 +0000 (UTC) (envelope-from ivoras@fer.hr) Received: from pinus.cc.fer.hr (pinus.cc.fer.hr [161.53.73.18]) by mx1.freebsd.org (Postfix) with ESMTP id 9AE2113C45B for ; Mon, 16 Apr 2007 13:44:04 +0000 (UTC) (envelope-from ivoras@fer.hr) Received: from [161.53.72.113] (lara.cc.fer.hr [161.53.72.113]) by pinus.cc.fer.hr (8.12.2/8.12.2) with ESMTP id l3GDqe3f027179; Mon, 16 Apr 2007 15:52:40 +0200 (MEST) Message-ID: <46237DA0.6060002@fer.hr> Date: Mon, 16 Apr 2007 15:44:00 +0200 From: Ivan Voras User-Agent: Thunderbird 1.5.0.10 (X11/20060911) MIME-Version: 1.0 To: Luigi Rizzo References: <20070415144922.A39338@xorpc.icir.org> <20070415150050.C39338@xorpc.icir.org> In-Reply-To: <20070415150050.C39338@xorpc.icir.org> X-Enigmail-Version: 0.94.2.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigECDAF43EE64387902E0D0E1C" Cc: freebsd-net@freebsd.org Subject: Re: ipfw, keep-state and limit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2007 13:44:05 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigECDAF43EE64387902E0D0E1C Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Luigi Rizzo wrote: >>> if i remember well (the implementation dates back to 2001 or so) >>> you just need to use "limit", as it implicitly installs >>> a dynamic state entry (same as keep-state). My new rule is: 06079 376036 286721568 allow tcp from any to me dst-port 80 setup=20 limit src-addr 15 And now ipfw -d show displays (among others): 06079 0 0 (0s) PARENT 2 tcp xx.53.98.13 0 <-> 0.0.0.0 = 0 06079 0 0 (0s) PARENT 1 tcp xx.29.147.17 0 <-> 0.0.0.0= 0 06079 0 0 (0s) PARENT 5 tcp xx.29.242.18 0 <-> 0.0.0.0= 0 06079 0 0 (0s) PARENT 0 tcp xx.53.68.19 0 <-> 0.0.0.0 = 0 06079 0 0 (0s) PARENT 1 tcp xx.53.18.22 0 <-> 0.0.0.0 = 0 06079 0 0 (8s) PARENT 1 tcp xx.55.213.39 0 <-> 0.0.0.0= 0 06079 0 0 (6s) PARENT 1 tcp xx.53.76.41 0 <-> 0.0.0.0 = 0 06079 0 0 (0s) PARENT 0 tcp xx.164.34.41 0 <-> 0.0.0.0= 0 I assume 0s in this case is good, and "PARENT n" means n connections=20 from the client? I've also got some dynamic rules referencing LIMIT on the same rule #: 06079 1471 1211349 (300s) LIMIT tcp xx.198.150.143 1507 <->=20 my.ip.ad.dr 80 06079 1243 988046 (300s) LIMIT tcp xx.198.150.143 1508 <->=20 my.ip.ad.dr 80 06079 25 15740 (299s) LIMIT tcp xx.53.74.51 1368 <->=20 my.ip.ad.dr 80 06079 7 1392 (223s) LIMIT tcp xx.254.251.10 3168 <->=20 my.ip.ad.dr 80 These are the individual connections, right? --------------enigECDAF43EE64387902E0D0E1C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGI32gldnAQVacBcgRAv8nAKCoDp30/eS+BA/GFYSfbZoCd+J1oACg1zf3 IM92K315AsQo2G4V9tx0j/w= =hrmA -----END PGP SIGNATURE----- --------------enigECDAF43EE64387902E0D0E1C--