Date: Mon, 16 Apr 2007 15:44:00 +0200 From: Ivan Voras <ivoras@fer.hr> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org Subject: Re: ipfw, keep-state and limit Message-ID: <46237DA0.6060002@fer.hr> In-Reply-To: <20070415150050.C39338@xorpc.icir.org> References: <evu0kp$9u9$1@sea.gmane.org> <20070415144922.A39338@xorpc.icir.org> <evu6sg$q2i$1@sea.gmane.org> <20070415150050.C39338@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigECDAF43EE64387902E0D0E1C Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Luigi Rizzo wrote: >>> if i remember well (the implementation dates back to 2001 or so) >>> you just need to use "limit", as it implicitly installs >>> a dynamic state entry (same as keep-state). My new rule is: 06079 376036 286721568 allow tcp from any to me dst-port 80 setup=20 limit src-addr 15 And now ipfw -d show displays (among others): 06079 0 0 (0s) PARENT 2 tcp xx.53.98.13 0 <-> 0.0.0.0 = 0 06079 0 0 (0s) PARENT 1 tcp xx.29.147.17 0 <-> 0.0.0.0= 0 06079 0 0 (0s) PARENT 5 tcp xx.29.242.18 0 <-> 0.0.0.0= 0 06079 0 0 (0s) PARENT 0 tcp xx.53.68.19 0 <-> 0.0.0.0 = 0 06079 0 0 (0s) PARENT 1 tcp xx.53.18.22 0 <-> 0.0.0.0 = 0 06079 0 0 (8s) PARENT 1 tcp xx.55.213.39 0 <-> 0.0.0.0= 0 06079 0 0 (6s) PARENT 1 tcp xx.53.76.41 0 <-> 0.0.0.0 = 0 06079 0 0 (0s) PARENT 0 tcp xx.164.34.41 0 <-> 0.0.0.0= 0 I assume 0s in this case is good, and "PARENT n" means n connections=20 from the client? I've also got some dynamic rules referencing LIMIT on the same rule #: 06079 1471 1211349 (300s) LIMIT tcp xx.198.150.143 1507 <->=20 my.ip.ad.dr 80 06079 1243 988046 (300s) LIMIT tcp xx.198.150.143 1508 <->=20 my.ip.ad.dr 80 06079 25 15740 (299s) LIMIT tcp xx.53.74.51 1368 <->=20 my.ip.ad.dr 80 06079 7 1392 (223s) LIMIT tcp xx.254.251.10 3168 <->=20 my.ip.ad.dr 80 These are the individual connections, right? --------------enigECDAF43EE64387902E0D0E1C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGI32gldnAQVacBcgRAv8nAKCoDp30/eS+BA/GFYSfbZoCd+J1oACg1zf3 IM92K315AsQo2G4V9tx0j/w= =hrmA -----END PGP SIGNATURE----- --------------enigECDAF43EE64387902E0D0E1C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46237DA0.6060002>