admin wrote in msgid: <[EMAIL PROTECTED]> > Hi, I'm trying to use ipfw's limit clause to limit the number of > connections a single IP can have at the same time in a transparent > web-proxy environment: > > 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port > 80 in via if0 setup limit src-addr 10 > 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80 > ... the rest fwd... > > as I understand the manpage, when the current number of connectiions is > below 10, the action "skipto" is performed, else, the packet is dropped > and the search terminates. But... > > the problem is that the src-addr limit is not enforced as some clients > somehow open a huge number (3-5 times the prescribed value) of > www-connections to some single address Out There, forcing you to bump up > certain sysctl variables (such as kern.ipc.nmbclusters, > kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be > going on? Is ipfw broken, or am I misusing it? > > OS: FreeBSD 6.2
I tested ipfw with the "limit" option and it works just fine. I can open only one http connection from "22.214.171.124" and hangs on opening a second one with an error in the logfile. rule: # add 03000 allow log logamount 50 tcp from any to any dst-port 80 in limit dst-addr 1 My logfile: Feb 18 16:16:57 jeremino kernel: ipfw: 3000 Accept TCP 126.96.36.199:3626 10.0.0.6:80 in via dc1 Feb 18 16:16:58 jeremino kernel: drop session, too many entries _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"