On Sun, 15 Apr 2007, Luigi Rizzo wrote:
On Sun, Apr 15, 2007 at 11:53:15PM +0200, Ivan Voras wrote:
Luigi Rizzo wrote:
if i remember well (the implementation dates back to 2001 or so)
you just need to use limit, as it implicitly installs
a dynamic state entry (same as
Luigi Rizzo wrote:
if i remember well (the implementation dates back to 2001 or so)
you just need to use limit, as it implicitly installs
a dynamic state entry (same as keep-state).
My new rule is:
06079376036286721568 allow tcp from any to me dst-port 80 setup
limit src-addr 15
And
On Mon, Apr 16, 2007 at 03:44:00PM +0200, Ivan Voras wrote:
Luigi Rizzo wrote:
if i remember well (the implementation dates back to 2001 or so)
you just need to use limit, as it implicitly installs
a dynamic state entry (same as keep-state).
My new rule is:
06079376036286721568
Luigi Rizzo wrote:
you have to look at the source code because it has been a few years
since i implemented them, but i believe the PARENT lines (which have
0's in the counters and unused fields) are the summary for the individual
clients, and the individual entries are the 'LIMIT' rules
I think I need to start filtering based on simultaneous connections from
source IP addresses because of some abuse that's apparently going on,
so, as I'm already using ipfw, I tried this:
# ipfw add 6079 allow tcp from any to me 80 setup keep-state limit
src-addr 10
To which ipfw replied:
ipfw:
On Sun, Apr 15, 2007 at 10:06:37PM +0200, Ivan Voras wrote:
I think I need to start filtering based on simultaneous connections from
source IP addresses because of some abuse that's apparently going on,
so, as I'm already using ipfw, I tried this:
# ipfw add 6079 allow tcp from any to me 80
Luigi Rizzo wrote:
if i remember well (the implementation dates back to 2001 or so)
you just need to use limit, as it implicitly installs
a dynamic state entry (same as keep-state).
Thanks, I'll try it tomorrow. If it works, may I suggest a change: make
the error message say keep-state is
On Sun, Apr 15, 2007 at 11:53:15PM +0200, Ivan Voras wrote:
Luigi Rizzo wrote:
if i remember well (the implementation dates back to 2001 or so)
you just need to use limit, as it implicitly installs
a dynamic state entry (same as keep-state).
Thanks, I'll try it tomorrow. If it works,
