With ipfw1 on 4.8 I use this:

ipfw add 10 check-state
ipfw add 20 allow tcp from xxx.xxx.xxx.0/24 to any keep-state limit src-addr 10

to provide stateful firewalling, and limit the number of simultaneous
tcp sessions to 10 per client.  Seems to work great.

On 4.8 I tried ipfw2

(kernel with options IPFW2 and rebuilt ipfw and libalias with -DIPFW2
as instructed in "man ipfw")

When I tried ipfw2, as I wanted keepalives, I get an error
when I run "ipfw"

  only one of keep-state and limit is allowed

How can I do both the stateful firewalling and limit
the simultaneous sessions, with ipfw2 ?



ps. As an aside,  I also patch /usr/src/sys/netinet/ip_fw.c to
be more verbose when it drops a session...

--- ip_fw.c     Sun Sep 14 15:33:16 2003
+++ ip_fw.old   Sun Sep 14 15:31:10 2003
@@ -999,9 +999,7 @@
                if (fw_verbose && last_log != time_second) {
                        last_log = time_second;
                        log(LOG_SECURITY | LOG_DEBUG,
-                           "drop session 0x%08x %u -> 0x%08x %u, TOO many entries
-                      (args->f_id.src_ip), (args->f_id.src_port),
-       (args->f_id.dst_ip), (args->f_id.dst_port));
+                           "drop session, too many entries\n");
                return 1;

Bruce Campbell
Engineering Computing
University of Waterloo
(519)888-4567 ext 5889

This mail sent through www.mywaterloo.ca
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to