On Thu, Jun 20, 2002 at 11:58:10PM -0700, Terry Lambert wrote:
...
> > in fact there is an ipfw rule which does just this:
> >
> > ipfw add allow ip from any to any limit src-addr 5
> >
> > and here you go...
>
> Can this be done per port? THis is what both the FTP and the inetd
> modification movements have been about...
ipfw add allow ip from any to any limit src-addr src-port 5
(you can select a subset of the src-addr src-port dst-addr dst-port
as the match mask to determine if connections belong to
the same group. With the new ipfw code that i have posted it
should be trivial to extend the match mask to use real
bitmasks (so you can limit per-subnet, per port ranges, etc etc.)
BTW in terms of implementation efficiency: this limit thing
uses the same hash table used by dynamic ipfw rules.
There is currently an (arbitrary) limit of a total of 1000
dynamic entries in the table, but no reason not to raise it
much higher if you have memory.
cheers
luigi
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
