Hi, I'm trying to use ipfw's limit clause to limit the number of
connections a single IP can have at the same time in a transparent
web-proxy environment:
00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
80 in via if0 setup limit src-addr 10
00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
... the rest fwd...
the problem is that the src-addr limit is not enforced for some nasty
clients that open a huge number (3-5 times the prescribed value) of
www-connections to some single address Out There, forcing you to bump up
certain sysctl variables (such as kern.ipc.nmbclusters,
kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
going on? Is ipfw broken, or am I misusing it?
OS: FreeBSD 6.2
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
