Andre Santos wrote:
On 2/18/07, admin <[EMAIL PROTECTED]> wrote:
Hi, I'm trying to use ipfw's limit clause to limit the number of
connections a single IP can have at the same time in a transparent
web-proxy environment:
00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
80 in via if0 setup limit src-addr 10
00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
... the rest fwd...
as I understand the manpage, when the current number of connectiions is
below 10, the action "skipto" is performed, else, the packet is dropped
and the search terminates. But...
the problem is that the src-addr limit is not enforced as some clients
somehow open a huge number (3-5 times the prescribed value) of
www-connections to some single address Out There, forcing you to bump up
certain sysctl variables (such as kern.ipc.nmbclusters,
kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
going on? Is ipfw broken, or am I misusing it?
OS: FreeBSD 6.2
The following command worked here (6.2-RC1). Only one connection was
allowed to 1.2.3.4.
# ipfw add 1 allow tcp from any to 1.2.3.4 22 out via rl1 limit dst-addr 1
Use the command "ipfw -d show" to see what connections are matching
your dynamic rules.
# ipfw -d show | fgrep x.x.x.x | wc -l
20
$ netstat -na|fgrep x.x.x.x|fgrep ESTABLISHED|wc -l
113
Why is it that only 20 connections have been accounted for by ipfw's
dynamic rules but there are actually 113 active connections from that IP
at the moment? The limit src-addr is 75.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
