On Thu, Jun 20, 2002 at 11:58:10PM -0700, Terry Lambert wrote: ... > > in fact there is an ipfw rule which does just this: > > > > ipfw add allow ip from any to any limit src-addr 5 > > > > and here you go... > > Can this be done per port? THis is what both the FTP and the inetd > modification movements have been about...
ipfw add allow ip from any to any limit src-addr src-port 5 (you can select a subset of the src-addr src-port dst-addr dst-port as the match mask to determine if connections belong to the same group. With the new ipfw code that i have posted it should be trivial to extend the match mask to use real bitmasks (so you can limit per-subnet, per port ranges, etc etc.) BTW in terms of implementation efficiency: this limit thing uses the same hash table used by dynamic ipfw rules. There is currently an (arbitrary) limit of a total of 1000 dynamic entries in the table, but no reason not to raise it much higher if you have memory. cheers luigi To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message