[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipfw limit src-addr woes



admin wrote in msgid:
<list_(_dot_)_freebsd_(_dot_)_questions#45D85EA3_(_dot_)_2050102_(_at_)_azuni_(_dot_)_net>

> Hi, I'm trying to use ipfw's limit clause to limit the number of
> connections a single IP can have at the same time in a transparent
> web-proxy environment:
> 
> 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
> 80 in via if0 setup limit src-addr 10
> 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
> ... the rest fwd...
> 
> as I understand the manpage, when the current number of connectiions is
> below 10, the action "skipto" is performed, else, the packet is dropped
> and the search terminates. But...
> 
> the problem is that the src-addr limit is not enforced as some clients
> somehow open a huge number (3-5 times the prescribed value) of
> www-connections to some single address Out There, forcing you to bump up
> certain sysctl variables (such as kern.ipc.nmbclusters,
> kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
> going on? Is ipfw broken, or am I misusing it?
> 
> OS: FreeBSD 6.2


I tested ipfw with the "limit" option and it works just fine.
I can open only one http connection from "194.109.21.3" and hangs on
opening a second one with an error in the logfile.


rule:
# add 03000 allow log logamount 50 tcp from any to any dst-port 80 in limit dst-addr 1

My logfile:
Feb 18 16:16:57 jeremino kernel: ipfw: 3000 Accept TCP 194.109.21.3:3626 10.0.0.6:80 in via dc1
Feb 18 16:16:58 jeremino kernel: drop session, too many entries


_______________________________________________
freebsd-questions_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe_(_at_)_freebsd_(_dot_)_org"


Visit your host, monkey.org