admin wrote:
Wrong: the implied "check-state" done by the "limit" lets the connection
through (i.e. performs the action) iff there's state recorded for it
(src-addr+src-port+dst-addr+dst-port). If however it's a SYN packet
incoming and the number of current states is trying to cross the limit,
the SYN packet is implicitly dropped and the search terminates.
This is not to say that I completely understand the things going on when
the connections start building up (different timeouts?) but the above
conclusion is based on what simulation has shown. The whole ruleset fits
on one screen, there's an "allow ip from any to any" in the end, so I'm
pretty sure I'm not crazy :-)
One thing to keep in mind is that a 'check-state' rule works by effectively
jumping to the rule that did the 'keep-state' and re-executing it..
(and incrementing its stats).
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
