Bill Moran wrote: >> Mark wrote: >> >>> The goal is simple: I want to limit connections to port 25 to 32 in >>> total, targeted at "me". And of those 32, only 4 per source. Like >>> so: >>> >>> ipfw add 1 check-state >>> ... >>> ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 >>> ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 >>> >>> Please, tell me then how "all wrong" this is. Because I *still* get >>> the impression that rule 12 is never reached. And, so far, "ipfw >>> show" does, indeed, only show activity on rule 11. >> >> If at all possible, I would still like to hear a suggestion as to >> how to combine the two rules. From my pov, the first "allow" in rule >> 11 makes a packet pass, provided there are less then 32 connections >> in total. Thus, rule 12 never gets invoked (which, indeed, seems to >> be the case). > > How about using skipto instead of allow? Thus, if it passes the > first one, it can just skipto the next rule to be checked. i.e.: > > ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 > ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 > > Thus, if rule 11 pases, it skips to rule 12. If it fails, it should > reject as always. The end result is that a packet _must_ pass both > rules to be allowed.
Thanks!! This does, indeed, exactly what I want. :) - Mark _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
