With ipfw1 on 4.8 I use this:
ipfw add 10 check-state ipfw add 20 allow tcp from xxx.xxx.xxx.0/24 to any keep-state limit src-addr 10 to provide stateful firewalling, and limit the number of simultaneous tcp sessions to 10 per client. Seems to work great. On 4.8 I tried ipfw2 (kernel with options IPFW2 and rebuilt ipfw and libalias with -DIPFW2 as instructed in "man ipfw") When I tried ipfw2, as I wanted keepalives, I get an error when I run "ipfw" only one of keep-state and limit is allowed How can I do both the stateful firewalling and limit the simultaneous sessions, with ipfw2 ? Thanks ---- ps. As an aside, I also patch /usr/src/sys/netinet/ip_fw.c to be more verbose when it drops a session... --- ip_fw.c Sun Sep 14 15:33:16 2003 +++ ip_fw.old Sun Sep 14 15:31:10 2003 @@ -999,9 +999,7 @@ if (fw_verbose && last_log != time_second) { last_log = time_second; log(LOG_SECURITY | LOG_DEBUG, - "drop session 0x%08x %u -> 0x%08x %u, TOO many entries \n", - (args->f_id.src_ip), (args->f_id.src_port), - (args->f_id.dst_ip), (args->f_id.dst_port)); + "drop session, too many entries\n"); } return 1; } -- Bruce Campbell Engineering Computing CPH-2374B University of Waterloo (519)888-4567 ext 5889 ---------------------------------------- This mail sent through www.mywaterloo.ca _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"