ipfw, keep-state and limit
Luigi Rizzo
rizzo at icir.org
Sun Apr 15 21:49:34 UTC 2007
On Sun, Apr 15, 2007 at 10:06:37PM +0200, Ivan Voras wrote:
> I think I need to start filtering based on simultaneous connections from
> source IP addresses because of some abuse that's apparently going on,
> so, as I'm already using ipfw, I tried this:
>
> # ipfw add 6079 allow tcp from any to me 80 setup keep-state limit
> src-addr 10
>
> To which ipfw replied:
>
> ipfw: only one of keep-state andlimit is allowed
>
> (including the "andlimit" typo).
>
> What I'm trying to do makes sense to me (and seems straightforward to
> implement, at least semantically): allow connections to port 80 with
> dynamic keep-state rules for individual clients, but allow only 10
> connections from the same address. Is this a limitation in ipfw? Any
> suggestions?
if i remember well (the implementation dates back to 2001 or so)
you just need to use "limit", as it implicitly installs
a dynamic state entry (same as keep-state).
cheers
luigi
More information about the freebsd-net
mailing list