From owner-freebsd-questions@FreeBSD.ORG Tue Aug 3 15:31:56 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C1E416A4CE for ; Tue, 3 Aug 2004 15:31:56 +0000 (GMT) Received: from mail.asarian-host.net (mail.asarian-host.net [194.109.160.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id B444A43D62 for ; Tue, 3 Aug 2004 15:31:55 +0000 (GMT) SRS0=So2F/K8/=KZ=asarian-host.net=admin@asarian-host.net) Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email accounts can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by mail.asarian-host.net (8.13.0/8.13.0) id i73FVsLT036623 for freebsd-questions@freebsd.org; Tue, 3 Aug 2004 17:31:54 +0200 (CEST) (envelope-from admin@asarian-host.net) From: Mark Received-SPF: pass (asarian-host.net: domain of admin@asarian-host.net designates sender IP as SASL permitted sender) Message-Id: <200408031531.I73FVRQ8036613@asarian-host.net> Date: Tue, 03 Aug 2004 15:31:54 GMT X-Authenticated-Sender: admin@asarian-host.net X-Trace: Zu+kYIKWewGbB1U1MIZI4MVQmGe0qE4+HFrIzGYA0c7H3HzPvhJhuamvZTR5DgAzJi1mIeQlj7XowIo9LFBHww== X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers, otherwise we are unable to process your complaint Organization: Asarian-host To: References: <20040803105731.197c7cd0.wmoran@potentialtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Auth: Asarian-host PGP signature iQEVAwUAQQ+v6jFqW1BleBN9AQHFdgf/QANzMDAmRi5yaCMwjqC2v1ivO1oy6SGA aHjSzi4iuAqLN59VzE9Z6Va6AkRghhtVm1LRN/k6RnzoVwsEWiOyZKmIxphG4tyh bHTyVfgMdmwp+f9F0o6Ug5ufmbBu8s6BI/B/iczuCjXt2XD3o1kZdxUDZXRapNFn Nv8oBMHatPbK33UyIyXCCtTe29QQPjr6XYFEhW4nbXK8YZBRpFd1eLj/R5p3S/y3 tTKvVjOZULdRd0fkNJs4Pu1s2r7QzL1XOr6e7g5pvDRC+FhmfEb2+PMEGQvG4feW UU0bOaEmO570w/ie5RlaW7Ag5sXN6aPXrzO1y9H6v2IfFXzBREnjYw== =b9v5 Subject: SOLVED! Re: One OR MORE of source and destination addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2004 15:31:56 -0000 Bill Moran wrote: >> Mark wrote: >> >>> The goal is simple: I want to limit connections to port 25 to 32 in >>> total, targeted at "me". And of those 32, only 4 per source. Like >>> so: >>> >>> ipfw add 1 check-state >>> ... >>> ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 >>> ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 >>> >>> Please, tell me then how "all wrong" this is. Because I *still* get >>> the impression that rule 12 is never reached. And, so far, "ipfw >>> show" does, indeed, only show activity on rule 11. >> >> If at all possible, I would still like to hear a suggestion as to >> how to combine the two rules. From my pov, the first "allow" in rule >> 11 makes a packet pass, provided there are less then 32 connections >> in total. Thus, rule 12 never gets invoked (which, indeed, seems to >> be the case). > > How about using skipto instead of allow? Thus, if it passes the > first one, it can just skipto the next rule to be checked. i.e.: > > ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 > ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 > > Thus, if rule 11 pases, it skips to rule 12. If it fails, it should > reject as always. The end result is that a packet _must_ pass both > rules to be allowed. Thanks!! This does, indeed, exactly what I want. :) - Mark