From owner-freebsd-questions@FreeBSD.ORG Tue Aug 3 14:50:23 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8618C16A4CE for ; Tue, 3 Aug 2004 14:50:23 +0000 (GMT) Received: from mail.asarian-host.net (mail.asarian-host.net [194.109.160.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF81243D3F for ; Tue, 3 Aug 2004 14:50:16 +0000 (GMT) SRS0=So2F/K8/=KZ=asarian-host.net=admin@asarian-host.net) Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email accounts can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by mail.asarian-host.net (8.13.0/8.13.0) id i73EoEBC035240 for freebsd-questions@freebsd.org; Tue, 3 Aug 2004 16:50:14 +0200 (CEST) (envelope-from admin@asarian-host.net) From: Mark Received-SPF: pass (asarian-host.net: domain of admin@asarian-host.net designates sender IP as SASL permitted sender) Message-Id: <200408031450.I73EOEAV035230@asarian-host.net> Date: Tue, 03 Aug 2004 14:50:14 GMT X-Authenticated-Sender: admin@asarian-host.net X-Trace: A4n7rX7SOtdTpvizoYdDSjF90iOAzQ1fHSJgt8mWaEy+SS8OXjH97LnDf1dUWq8t2RBFbzweT7jFOpW4TyJMrw== X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers, otherwise we are unable to process your complaint Organization: Asarian-host To: References: <200408021816.I72IGEB4020395@asarian-host.net> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Auth: Asarian-host PGP signature iQEVAwUAQQ+mJjFqW1BleBN9AQFx1gf/bXT8RwE/VGepIcYO43UhuyDWzBsRJ2fd VdKL7LoGrkzhELgXHZGuKrRxQTEODKERUcmHT4pQmXQGnGASRrnkbA6UezPIGUU7 TWxO3+xzGos8AALuNv5FhHUaJSVoLv/qpXP5KQ7VgnF7nPWesHf/IU9FC6tuVhhy qWIxLCu9bSg5ANElNpYxzQjuacE76jSJMZIiY7N2GZwJDbiTJrxwZemfIqFnFYkY D07IZjRmeYCyYvEIybdgFNmidOXhFljmdh5K5bz4bZFhiVEMS7fm3ONnqj45lKl8 T3PN0mBVolLpSxFXKTRrn+3bRF/0oNNkiMn+C6fkX/QSHvZz9dgXjw== =ebV/ Subject: Re: One OR MORE of source and destination addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2004 14:50:23 -0000 Mark wrote: > The goal is simple: I want to limit connections to port 25 to 32 in > total, targeted at "me". And of those 32, only 4 per source. Like so: > > ipfw add 1 check-state > ... > ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 > ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 > > Please, tell me then how "all wrong" this is. Because I *still* get > the impression that rule 12 is never reached. And, so far, "ipfw > show" does, indeed, only show activity on rule 11. If at all possible, I would still like to hear a suggestion as to how to combine the two rules. From my pov, the first "allow" in rule 11 makes a packet pass, provided there are less then 32 connections in total. Thus, rule 12 never gets invoked (which, indeed, seems to be the case). Someone suggested to me I was at fault for numbering the rules. Quite frankly, that does not compute to me, as ipfw autonumbers anyway (in default steps of 100, I believe). Seriously, I do not mind hearing how "all wrong" my rules are; but, at the same time, I have not heard a proper way of doing this. I appreciate suggestions, - Mark