Date: Sun, 18 Feb 2007 18:11:47 +0400 From: admin <admin@azuni.net> To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: ipfw limit src-addr woes Message-ID: <45D85EA3.2050102@azuni.net>
next in thread | raw e-mail | index | archive | help
Hi, I'm trying to use ipfw's limit clause to limit the number of connections a single IP can have at the same time in a transparent web-proxy environment: 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port 80 in via if0 setup limit src-addr 10 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80 ... the rest fwd... as I understand the manpage, when the current number of connectiions is below 10, the action "skipto" is performed, else, the packet is dropped and the search terminates. But... the problem is that the src-addr limit is not enforced as some clients somehow open a huge number (3-5 times the prescribed value) of www-connections to some single address Out There, forcing you to bump up certain sysctl variables (such as kern.ipc.nmbclusters, kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be going on? Is ipfw broken, or am I misusing it? OS: FreeBSD 6.2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45D85EA3.2050102>