From owner-freebsd-questions@FreeBSD.ORG Mon Aug 2 16:08:02 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFD7416A4CE for ; Mon, 2 Aug 2004 16:08:02 +0000 (GMT) Received: from mail.asarian-host.net (mail.asarian-host.net [194.109.160.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3932643D5D for ; Mon, 2 Aug 2004 16:08:02 +0000 (GMT) SRS0=tq3Poi26=KY=asarian-host.net=admin@asarian-host.net) Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email accounts can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by mail.asarian-host.net (8.13.0/8.13.0) id i72G81Pw006032 for freebsd-questions@freebsd.org; Mon, 2 Aug 2004 18:08:01 +0200 (CEST) (envelope-from admin@asarian-host.net) From: Mark Received-SPF: pass (asarian-host.net: domain of admin@asarian-host.net designates sender IP as SASL permitted sender) Message-Id: <200408021608.I72G81RM006022@asarian-host.net> Date: Mon, 02 Aug 2004 16:08:01 GMT X-Authenticated-Sender: admin@asarian-host.net X-Trace: T5iZCjD/XqecxT0O6pRUv1CiHdNjusTBt5SOMs+CZdrQClxYgivbFf5Y7XqwvhaaXAM57ejneG/PeTpxmKIWjQ== X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers, otherwise we are unable to process your complaint Organization: Asarian-host To: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Auth: Asarian-host PGP signature iQEVAwUAQQ5m4TFqW1BleBN9AQGm6AgAl5rEYHJGtTIBxwCIRIlb1WnLFLORuG5O AHWO2P03C8jHKvWdnOOoYgMGl5clP5+FFVztxU9DNHLq+C9exqYHZv2yKBZc/vGQ SqOtAjIJ8Lnl4F4HNgd1b3c7///JZEN4AS4mWOYV4Mzu4REyc1Fu2UDL2ugszLbv 4hLHZ1frM+LZEmoplT5tC4MqxQ9OB7Jd9yt+32cXwEhvKJ7mT9xzHGhQh19+axF6 bt7SmWx99DwZS8Usj4GlgtVqP3JPIDNz8ybu1yrq8xfBumdGYZNOQqi+clw+IULX 4o/INQ9SjpRNRTqmeb9dmn469LCVdtWVrUI9lWa7PJS0TNkKHPDRgQ== =ZuGj Subject: Re: One OR MORE of source and destination addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 16:08:03 -0000 [my apologies for the resent; my last reply had an unfortunate wrap] Mark wrote: > Color me confused. The ipfw manual says: > > limit {src-addr | src-port | dst-addr | dst-port} N > The firewall will only allow N connections with the same set of > parameters as specified in the rule. One or more of source and > destination addresses and ports can be specified. > > If "One or more of source and destination addresses and ports can be > specified", then I'd like to limit both the total amount of > connections, as well as per-src. Something like this: > > ipfw check-state ipfw add allow tcp from any to me 25 setup limit > dst-addr 32 src-addr 8 > > The error I get is: > > "ipfw: only one of keep-state and limit is allowed" > > So, how can I specify "One OR MORE of source and destination > addresses" in the rule to achieve this effect? Thanks for your reply. JJB wrote: > Like the manual says, you can not code both options on single rule. > You have to make 2 rules out of it. > > state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 > state ipfw add allow tcp from any to me 25 setup limit src-addr 8 Actually, that is what I had already done: ipfw add 10 check-state ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 check-state ipfw add 13 allow tcp from any to me 25 setup limit src-addr 4 But it seems I never get to rule 12/13. All "ipfw show" shows, is activity on rule 10/11. That is why I figured I made an error somewhere. Does not rule 11, indeed, function as an 'early-out'? (undesired). Thanks, - Mark