From owner-freebsd-net@FreeBSD.ORG Mon Apr 16 15:45:51 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6BD3A16A400 for ; Mon, 16 Apr 2007 15:45:51 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.freebsd.org (Postfix) with ESMTP id 3E6C313C45E for ; Mon, 16 Apr 2007 15:45:51 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.13.6) with ESMTP id l3GFjmVw058676; Mon, 16 Apr 2007 08:45:48 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id l3GFjmEa058675; Mon, 16 Apr 2007 08:45:48 -0700 (PDT) (envelope-from rizzo) Date: Mon, 16 Apr 2007 08:45:48 -0700 From: Luigi Rizzo To: Ivan Voras Message-ID: <20070416084548.A58565@xorpc.icir.org> References: <20070415144922.A39338@xorpc.icir.org> <20070415150050.C39338@xorpc.icir.org> <46237DA0.6060002@fer.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <46237DA0.6060002@fer.hr>; from ivoras@fer.hr on Mon, Apr 16, 2007 at 03:44:00PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: ipfw, keep-state and limit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2007 15:45:51 -0000 On Mon, Apr 16, 2007 at 03:44:00PM +0200, Ivan Voras wrote: > Luigi Rizzo wrote: > >>> if i remember well (the implementation dates back to 2001 or so) > >>> you just need to use "limit", as it implicitly installs > >>> a dynamic state entry (same as keep-state). > > My new rule is: > 06079 376036 286721568 allow tcp from any to me dst-port 80 setup > limit src-addr 15 > > And now ipfw -d show displays (among others): > > 06079 0 0 (0s) PARENT 2 tcp xx.53.98.13 0 <-> 0.0.0.0 0 > 06079 0 0 (0s) PARENT 1 tcp xx.29.147.17 0 <-> 0.0.0.0 0 > 06079 0 0 (0s) PARENT 5 tcp xx.29.242.18 0 <-> 0.0.0.0 0 > 06079 0 0 (0s) PARENT 0 tcp xx.53.68.19 0 <-> 0.0.0.0 0 > 06079 0 0 (0s) PARENT 1 tcp xx.53.18.22 0 <-> 0.0.0.0 0 > 06079 0 0 (8s) PARENT 1 tcp xx.55.213.39 0 <-> 0.0.0.0 0 > 06079 0 0 (6s) PARENT 1 tcp xx.53.76.41 0 <-> 0.0.0.0 0 > 06079 0 0 (0s) PARENT 0 tcp xx.164.34.41 0 <-> 0.0.0.0 0 > > I assume 0s in this case is good, and "PARENT n" means n connections > from the client? you have to look at the source code because it has been a few years since i implemented them, but i believe the PARENT lines (which have 0's in the counters and unused fields) are the summary for the individual clients, and the individual entries are the 'LIMIT' rules below. I am not sure why there is a non-zero timeout in some of the parent rules cheers luigi > I've also got some dynamic rules referencing LIMIT on the same rule #: > 06079 1471 1211349 (300s) LIMIT tcp xx.198.150.143 1507 <-> > my.ip.ad.dr 80 > 06079 1243 988046 (300s) LIMIT tcp xx.198.150.143 1508 <-> > my.ip.ad.dr 80 > 06079 25 15740 (299s) LIMIT tcp xx.53.74.51 1368 <-> > my.ip.ad.dr 80 > 06079 7 1392 (223s) LIMIT tcp xx.254.251.10 3168 <-> > my.ip.ad.dr 80 > > These are the individual connections, right? >