[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipfw limit src-addr woes
- To: freebsd-questions_(_at_)_freebsd_(_dot_)_org
- Subject: Re: ipfw limit src-addr woes
- From: Kees Plonsz <dit-is-een-zinloze-spampoging_(_at_)_jeremino_(_dot_)_homeunix_(_dot_)_net>
- Date: Sun, 18 Feb 2007 16:37:49 +0100
- Organization: Chaos
admin wrote in msgid:
> Hi, I'm trying to use ipfw's limit clause to limit the number of
> connections a single IP can have at the same time in a transparent
> web-proxy environment:
> 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
> 80 in via if0 setup limit src-addr 10
> 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
> ... the rest fwd...
> as I understand the manpage, when the current number of connectiions is
> below 10, the action "skipto" is performed, else, the packet is dropped
> and the search terminates. But...
> the problem is that the src-addr limit is not enforced as some clients
> somehow open a huge number (3-5 times the prescribed value) of
> www-connections to some single address Out There, forcing you to bump up
> certain sysctl variables (such as kern.ipc.nmbclusters,
> kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
> going on? Is ipfw broken, or am I misusing it?
> OS: FreeBSD 6.2
I tested ipfw with the "limit" option and it works just fine.
I can open only one http connection from "126.96.36.199" and hangs on
opening a second one with an error in the logfile.
# add 03000 allow log logamount 50 tcp from any to any dst-port 80 in limit dst-addr 1
Feb 18 16:16:57 jeremino kernel: ipfw: 3000 Accept TCP 188.8.131.52:3626 10.0.0.6:80 in via dc1
Feb 18 16:16:58 jeremino kernel: drop session, too many entries
freebsd-questions_(_at_)_freebsd_(_dot_)_org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscribe_(_at_)_freebsd_(_dot_)_org"