From owner-freebsd-questions@FreeBSD.ORG Tue Aug 3 14:57:34 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04AFC16A4CE for ; Tue, 3 Aug 2004 14:57:34 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD51443D41 for ; Tue, 3 Aug 2004 14:57:33 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) by internet.potentialtech.com (Postfix) with ESMTP id E390369A71; Tue, 3 Aug 2004 10:57:32 -0400 (EDT) Date: Tue, 3 Aug 2004 10:57:31 -0400 From: Bill Moran To: Mark Message-Id: <20040803105731.197c7cd0.wmoran@potentialtech.com> In-Reply-To: <200408031450.I73EOEAV035230@asarian-host.net> References: <200408021816.I72IGEB4020395@asarian-host.net> <200408031450.I73EOEAV035230@asarian-host.net> Organization: Potential Technologies X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: One OR MORE of source and destination addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2004 14:57:34 -0000 Mark wrote: > Mark wrote: > > > The goal is simple: I want to limit connections to port 25 to 32 in > > total, targeted at "me". And of those 32, only 4 per source. Like so: > > > > ipfw add 1 check-state > > ... > > ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 > > ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 > > > > Please, tell me then how "all wrong" this is. Because I *still* get > > the impression that rule 12 is never reached. And, so far, "ipfw > > show" does, indeed, only show activity on rule 11. > > If at all possible, I would still like to hear a suggestion as to how to > combine the two rules. From my pov, the first "allow" in rule 11 makes a > packet pass, provided there are less then 32 connections in total. Thus, > rule 12 never gets invoked (which, indeed, seems to be the case). How about using skipto instead of allow? Thus, if it passes the first one, it can just skipto the next rule to be checked. i.e.: ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Thus, if rule 11 pases, it skips to rule 12. If it fails, it should reject as always. The end result is that a packet _must_ pass both rules to be allowed. Note that I haven't tried this, so I could be wrong in how it works. -- Bill Moran Potential Technologies http://www.potentialtech.com