From owner-freebsd-net@FreeBSD.ORG Mon Feb 19 08:13:16 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 30A6A16A400 for ; Mon, 19 Feb 2007 08:13:16 +0000 (UTC) (envelope-from admin@azuni.net) Received: from mail.azuni.net (ns0.azuni.net [217.25.25.3]) by mx1.freebsd.org (Postfix) with ESMTP id 5701813C48E for ; Mon, 19 Feb 2007 08:13:14 +0000 (UTC) (envelope-from admin@azuni.net) Received: (qmail 7353 invoked by uid 1004); 19 Feb 2007 08:13:13 -0000 Received: from admin@azuni.net by mail.azuni.net by uid 89 with qmail-scanner-1.20 (clamscan: 0.65. spamassassin: 2.63. Clear:RC:1(217.25.23.11):. Processed in 0.088532 secs); 19 Feb 2007 08:13:13 -0000 Received: from unknown (HELO ?217.25.23.11?) (217.25.23.11) by ns0.azuni.net with AES256-SHA encrypted SMTP; 19 Feb 2007 08:13:12 -0000 Message-ID: <45D95C07.9060409@azuni.net> Date: Mon, 19 Feb 2007 12:12:55 +0400 From: admin Organization: UniNet User-Agent: Debian Thunderbird 1.0.2 (X11/20070113) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andre Santos References: <45D85EA3.2050102@azuni.net> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ipfw limit src-addr woes X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Feb 2007 08:13:16 -0000 Andre Santos wrote: > On 2/18/07, admin wrote: > >> Hi, I'm trying to use ipfw's limit clause to limit the number of >> connections a single IP can have at the same time in a transparent >> web-proxy environment: >> >> 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port >> 80 in via if0 setup limit src-addr 10 >> 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80 >> ... the rest fwd... >> >> as I understand the manpage, when the current number of connectiions is >> below 10, the action "skipto" is performed, else, the packet is dropped >> and the search terminates. But... >> >> the problem is that the src-addr limit is not enforced as some clients >> somehow open a huge number (3-5 times the prescribed value) of >> www-connections to some single address Out There, forcing you to bump up >> certain sysctl variables (such as kern.ipc.nmbclusters, >> kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be >> going on? Is ipfw broken, or am I misusing it? >> >> OS: FreeBSD 6.2 > > > The following command worked here (6.2-RC1). Only one connection was > allowed to 1.2.3.4. > # ipfw add 1 allow tcp from any to 1.2.3.4 22 out via rl1 limit dst-addr 1 > > Use the command "ipfw -d show" to see what connections are matching > your dynamic rules. > # ipfw -d show | fgrep x.x.x.x | wc -l 20 $ netstat -na|fgrep x.x.x.x|fgrep ESTABLISHED|wc -l 113 Why is it that only 20 connections have been accounted for by ipfw's dynamic rules but there are actually 113 active connections from that IP at the moment? The limit src-addr is 75.