Re: pf max-src-conn states
On 12.11-19:11, Henning Brauer wrote: [ ... ] > > 1. trying to use 'max-src-conn 1' to limit service to one > > connection per host (with overload table) but when i disconnect and > > re-reconnect i get blocked. should this state expire when > > correctly closed, allowing a second connection, or is the timeout > > needed? > > there is always a 2*MSL timeout - any better book covering TCP/IP > basics should give you the plethora of reasons. thanks. will re-test and check. -- t t w
Re: pf max-src-conn states
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-11-12 15:14]: > two questions relating to the above > > 1.trying to use 'max-src-conn 1' to limit service to one > connection per host (with overload table) but when i disconnect and > re-reconnect i get blocked. should this state expire when > correctly closed, allowing a second connection, or is the timeout > needed? there is always a 2*MSL timeout - any better book covering TCP/IP basics should give you the plethora of reasons. > 2.is source-track required for the above? i can't decipher the > relationship. current confusion is "does source-track turn 'max' > into a per-IP match or simply allow the per-IP functions to operate?" it makes use of sr ctrack yes,but you don't need tomanually enable anything. > nb: not sure the service is closing the connection correctly which > may be causing the timeout issue. that would extend the timeout a lot. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
pf max-src-conn states
two questions relating to the above 1. trying to use 'max-src-conn 1' to limit service to one connection per host (with overload table) but when i disconnect and re-reconnect i get blocked. should this state expire when correctly closed, allowing a second connection, or is the timeout needed? 2. is source-track required for the above? i can't decipher the relationship. current confusion is "does source-track turn 'max' into a per-IP match or simply allow the per-IP functions to operate?" nb: not sure the service is closing the connection correctly which may be causing the timeout issue.
