limit number of tcp connection for a GID
Daniel Gerzo
danger at rulez.sk
Sun Jun 5 19:23:53 GMT 2005
Hi Riccardo,
Sunday, June 5, 2005, 9:12:44 PM, you wrote:
> On 6/5/05, Giorgos Keramidas <keramida at ceid.upatras.gr> wrote:
> ...
>> No trace of uid or gid matching though. I thought it was specifically
>> uid/gid matching that you were after.
> Here you are the complete fantastic rule:
> pass out quick proto tcp from $irc_subnet to any port {4004, 5555,
> 5667, 6660, 6661, 6662, 6663, 6664,\
> 6665, 6666, 6667, 6668, 6669, 7000} user >= 1009 modulate state (max 3)
> I've got a /23 subnet and i want that user UID > 1009 use only two
> connections to ircd.
> The rule is correct all go in the right way :)
> Regards
(31 Oct 2004) When the user/group rule clauses in pf(4) and ipfw(4)
are used, the loader tunable debug.mpsafenet must be set to 0
(this is 1 by default). For example, the following rules are affected:
for ipfw(4):
count ip from any to 192.168.2.1 uid root
for pf(4):
block log quick proto { tcp, udp } all user root
To set debug.mpsafenet to 0 on every boot, add the following line
into /boot/loader.conf:
debug.mpsafenet=0
More specifically, the group and user filter parameters in pf(4),
and the gid, jail, and uid rule options in ipfw(4) are affected.
If debug.mpsafenet is set to 1, the system can hang when the rule
is evaluated due to a lock order reversal with the socket layer.
More details can be found in the ipfw(8) and pf.conf(5) manual
pages.
--
Best regards
DanGer, ICQ: 261701668 | e-mail protecting at: http://www.2pu.net/
http://danger.rulez.sk | proxy list at: http://www.proxy-web.com/
| FreeBSD - The Power to Serve!
[ "640K should be enough memory for anyone." - Bill Gates ]
More information about the freebsd-pf
mailing list