Mark wrote:
The goal is simple: I want to limit connections to port 25 to 32 in
total, targeted at me. And of those 32, only 4 per source. Like so:
ipfw add 1 check-state
...
ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from any to me 25 setup limit
Mark [EMAIL PROTECTED] wrote:
Mark wrote:
The goal is simple: I want to limit connections to port 25 to 32 in
total, targeted at me. And of those 32, only 4 per source. Like so:
ipfw add 1 check-state
...
ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
ipfw add 12
Bill Moran wrote:
Mark wrote:
The goal is simple: I want to limit connections to port 25 to 32 in
total, targeted at me. And of those 32, only 4 per source. Like
so:
ipfw add 1 check-state
...
ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from
Bill Moran wrote:
How about using skipto instead of allow? Thus, if it passes the
first one, it can just skipto the next rule to be checked. i.e.:
ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4
Thus, if
Mark wrote:
Bill Moran wrote:
How about using skipto instead of allow? Thus, if it passes the
first one, it can just skipto the next rule to be checked. i.e.:
ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from any to me 25 setup limit src-addr
I just took a look at the code:
if (q != NULL) { /* should never occur */
if (last_log != time_second) {
last_log = time_second;
printf(ipfw: install_state: entry already present, done\n);
}
return 0;
}
What if I just hack the printf ... line out of there? Would that
Mark [EMAIL PROTECTED] wrote:
Mark wrote:
Bill Moran wrote:
How about using skipto instead of allow? Thus, if it passes the
first one, it can just skipto the next rule to be checked. i.e.:
ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp
Ralph Hempel [EMAIL PROTECTED] wrote:
I just took a look at the code:
if (q != NULL) { /* should never occur */
if (last_log != time_second) {
last_log = time_second;
printf(ipfw: install_state: entry already present, done\n);
}
return 0;
}
What if I just
Bill,
Thanks for the feedback. I've been programming embedded systems
for almost 20 years, so I have a natural aversion to apparently
simple changes that make things work :-)
The nicest high-level code I've ever seen in the source to Tcl - if
only all code looked like that.
I've been playing
Bill Moran wrote:
My whole console is flooded with messages like these:
ipfw: install_state: entry already present, done
Is there a known patch?
I just took a look at the code:
if (q != NULL) { /* should never occur */
if (last_log != time_second) {
last_log = time_second;
Color me confused. The ipfw manual says:
limit {src-addr | src-port | dst-addr | dst-port} N
The firewall will only allow N connections with the same set of
parameters as specified in the rule. One or more of source and
destination addresses and ports can be specified.
If One or
Like the manual says, you can not code both options on single rule.
You have to make 2 rules out of it.
state ipfw add allow tcp from any to me 25 setup limit dst-addr 32
state ipfw add allow tcp from any to me 25 setup limit src-addr 8
-Original Message-
From: [EMAIL PROTECTED]
Mark wrote:
Color me confused. The ipfw manual says:
limit {src-addr | src-port | dst-addr | dst-port} N
The firewall will only allow N connections with the same set of
parameters as specified in the rule. One or more of source and
destination addresses and ports can be specified.
If
[my apologies for the resent; my last reply had an unfortunate wrap]
Mark wrote:
Color me confused. The ipfw manual says:
limit {src-addr | src-port | dst-addr | dst-port} N
The firewall will only allow N connections with the same set of
parameters as specified in the rule. One
JJB wrote:
Your rules are all wrong. You really need to reread the ipfw manual
page info. Only one check-state rule is used. Your other check-state
rule is never matched.
Ok, I got a check-state too many.
To get meaningful replies you have to post complete information
about your system
15 matches
Mail list logo
