Re: ipfw, keep-state and limit

2007-04-16 Thread Ivan Voras
Luigi Rizzo wrote: > you have to look at the source code because it has been a few years > since i implemented them, but i believe the PARENT lines (which have > 0's in the counters and unused fields) are the summary for the individual > clients, and the individual entries are the 'LIMIT' rules be

Re: ipfw, keep-state and limit

2007-04-16 Thread Luigi Rizzo
On Mon, Apr 16, 2007 at 03:44:00PM +0200, Ivan Voras wrote: > Luigi Rizzo wrote: > >>> if i remember well (the implementation dates back to 2001 or so) > >>> you just need to use "limit", as it implicitly installs > >>> a dynamic state entry (same as keep-state). > > My new rule is: > 06079376

Re: ipfw, keep-state and limit

2007-04-16 Thread Ivan Voras
Luigi Rizzo wrote: if i remember well (the implementation dates back to 2001 or so) you just need to use "limit", as it implicitly installs a dynamic state entry (same as keep-state). My new rule is: 06079376036286721568 allow tcp from any to me dst-port 80 setup limit src-addr 15 An

Re: ipfw, keep-state and limit

2007-04-15 Thread Ian Smith
On Sun, 15 Apr 2007, Luigi Rizzo wrote: > On Sun, Apr 15, 2007 at 11:53:15PM +0200, Ivan Voras wrote: > > Luigi Rizzo wrote: > > > > > if i remember well (the implementation dates back to 2001 or so) > > > you just need to use "limit", as it implicitly installs > > > a dynamic state entry (s

Re: ipfw, keep-state and limit

2007-04-15 Thread Luigi Rizzo
On Sun, Apr 15, 2007 at 11:53:15PM +0200, Ivan Voras wrote: > Luigi Rizzo wrote: > > > if i remember well (the implementation dates back to 2001 or so) > > you just need to use "limit", as it implicitly installs > > a dynamic state entry (same as keep-state). > > Thanks, I'll try it tomorrow. If

Re: ipfw, keep-state and limit

2007-04-15 Thread Ivan Voras
Luigi Rizzo wrote: > if i remember well (the implementation dates back to 2001 or so) > you just need to use "limit", as it implicitly installs > a dynamic state entry (same as keep-state). Thanks, I'll try it tomorrow. If it works, may I suggest a change: make the error message say "keep-state i

Re: ipfw, keep-state and limit

2007-04-15 Thread Luigi Rizzo
On Sun, Apr 15, 2007 at 10:06:37PM +0200, Ivan Voras wrote: > I think I need to start filtering based on simultaneous connections from > source IP addresses because of some abuse that's apparently going on, > so, as I'm already using ipfw, I tried this: > > # ipfw add 6079 allow tcp from any to me

ipfw, keep-state and limit

2007-04-15 Thread Ivan Voras
I think I need to start filtering based on simultaneous connections from source IP addresses because of some abuse that's apparently going on, so, as I'm already using ipfw, I tried this: # ipfw add 6079 allow tcp from any to me 80 setup keep-state limit src-addr 10 To which ipfw replied: ipfw: