On 5/1/14, 12:02 AM, bycn82 wrote:
On 4/30/14 23:45, Freddie Cash wrote:
On Wed, Apr 30, 2014 at 8:31 AM, bycn82 <[email protected]
<mailto:[email protected]>>wrote:
On 4/30/14 23:01, Julian Elischer wrote:
On 4/30/14, 8:52 PM, bycn82 wrote:
Hi
`packet per second` it is easy to be implemented using
iptables, there is a module named `recent`, but in using
ipfw, Do we have any solution to fulfill it? check the
link below
https://forums.freebsd.org/viewtopic.php?f=44&t=42933&p=258441#p258441
<https://forums.freebsd.org/viewtopic.php?f=44&t=42933&p=258441#p258441>
since I don't use linux.. what is "packet per second"?.. does
it report it or set a limit on it?
bycn82
_______________________________________________
[email protected] <mailto:[email protected]>
mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to
"[email protected]
<mailto:[email protected]>"
Yes, "Packets Per Second"means limit a connection based on the
packets number, for example, If I allow 2 ICMP packets come to my
server in each individual second. only the first 2 packets will
be allow, all others in the same second will be dropped.
For ICMP, specifically, there's a sysctl to control the rate (per
second):
# sysctl -d net.inet.icmp.icmplim
net.inet.icmp.icmplim: Maximum number of ICMP responses per second
For everything else, you'd want to use dummynet(4).
--
Freddie Cash
[email protected] <mailto:[email protected]>
Thanks for your reply, and it is good to know the sysctl for ICMP.
finally it works.I just added a new `action` in firewall and it is
called `pps`, that means it can be generic purpose while the
net.inet.icmp.icmplim is only for ICMP traffic.
you probably should be using the dummynet extension to ipfw to do this
but post your changes to a freebsd bug report anyhow so we can keep it
somewhere.
I doubt it would be needed in general as Dummynet give you so much
more control and is I think a superset.
Don't forget to add a patch for the man page.... a patch with no man
page change would never be accepted.
the usage will be like below
root@F10:/usr/src/sbin/ipfw # .*/ipfw add pps 1 icmp from any to any*
00100 pps 1 icmp from any to any
root@F10:/usr/src/sbin/ipfw # ./ipfw show
00100 9 540 pps 1 icmp from any to any
65535 13319 1958894 allow ip from any to any
root@F10:/usr/src/sbin/ipfw #
regards,
bycn82
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
