Mark wrote:
The goal is simple: I want to limit connections to port 25 to 32 in
total, targeted at me. And of those 32, only 4 per source. Like so:
ipfw add 1 check-state
...
ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from any to me 25 setup limit
Mark [EMAIL PROTECTED] wrote:
Mark wrote:
The goal is simple: I want to limit connections to port 25 to 32 in
total, targeted at me. And of those 32, only 4 per source. Like so:
ipfw add 1 check-state
...
ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
ipfw add 12
Bill Moran wrote:
Mark wrote:
The goal is simple: I want to limit connections to port 25 to 32 in
total, targeted at me. And of those 32, only 4 per source. Like
so:
ipfw add 1 check-state
...
ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from
Bill Moran wrote:
How about using skipto instead of allow? Thus, if it passes the
first one, it can just skipto the next rule to be checked. i.e.:
ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4
Thus, if
Mark wrote:
Bill Moran wrote:
How about using skipto instead of allow? Thus, if it passes the
first one, it can just skipto the next rule to be checked. i.e.:
ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from any to me 25 setup limit src-addr
I just took a look at the code:
if (q != NULL) { /* should never occur */
if (last_log != time_second) {
last_log = time_second;
printf(ipfw: install_state: entry already present, done\n);
}
return 0;
}
What if I just hack the printf ... line out of there? Would that
Mark [EMAIL PROTECTED] wrote:
Mark wrote:
Bill Moran wrote:
How about using skipto instead of allow? Thus, if it passes the
first one, it can just skipto the next rule to be checked. i.e.:
ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp
Ralph Hempel [EMAIL PROTECTED] wrote:
I just took a look at the code:
if (q != NULL) { /* should never occur */
if (last_log != time_second) {
last_log = time_second;
printf(ipfw: install_state: entry already present, done\n);
}
return 0;
}
What if I just
Bill,
Thanks for the feedback. I've been programming embedded systems
for almost 20 years, so I have a natural aversion to apparently
simple changes that make things work :-)
The nicest high-level code I've ever seen in the source to Tcl - if
only all code looked like that.
I've been playing
Bill Moran wrote:
My whole console is flooded with messages like these:
ipfw: install_state: entry already present, done
Is there a known patch?
I just took a look at the code:
if (q != NULL) { /* should never occur */
if (last_log != time_second) {
last_log = time_second;
Like the manual says, you can not code both options on single rule.
You have to make 2 rules out of it.
state ipfw add allow tcp from any to me 25 setup limit dst-addr 32
state ipfw add allow tcp from any to me 25 setup limit src-addr 8
-Original Message-
From: [EMAIL PROTECTED]
Mark wrote:
Color me confused. The ipfw manual says:
limit {src-addr | src-port | dst-addr | dst-port} N
The firewall will only allow N connections with the same set of
parameters as specified in the rule. One or more of source and
destination addresses and ports can be specified.
If
[my apologies for the resent; my last reply had an unfortunate wrap]
Mark wrote:
Color me confused. The ipfw manual says:
limit {src-addr | src-port | dst-addr | dst-port} N
The firewall will only allow N connections with the same set of
parameters as specified in the rule. One
JJB wrote:
Your rules are all wrong. You really need to reread the ipfw manual
page info. Only one check-state rule is used. Your other check-state
rule is never matched.
Ok, I got a check-state too many.
To get meaningful replies you have to post complete information
about your system
14 matches
Mail list logo