From owner-freebsd-questions@FreeBSD.ORG Mon Feb 19 16:38:19 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8AD6016A400 for ; Mon, 19 Feb 2007 16:38:19 +0000 (UTC) (envelope-from admin@azuni.net) Received: from mail.azuni.net (ns0.azuni.net [217.25.25.3]) by mx1.freebsd.org (Postfix) with ESMTP id B829113C4A7 for ; Mon, 19 Feb 2007 16:38:18 +0000 (UTC) (envelope-from admin@azuni.net) Received: (qmail 43631 invoked by uid 1004); 19 Feb 2007 16:38:16 -0000 Received: from admin@azuni.net by mail.azuni.net by uid 89 with qmail-scanner-1.20 (clamscan: 0.65. spamassassin: 2.63. Clear:RC:1(217.25.23.11):. Processed in 0.402665 secs); 19 Feb 2007 16:38:16 -0000 Received: from unknown (HELO ?217.25.23.11?) (217.25.23.11) by ns0.azuni.net with AES256-SHA encrypted SMTP; 19 Feb 2007 16:38:16 -0000 Message-ID: <45D9D25E.1050007@azuni.net> Date: Mon, 19 Feb 2007 20:37:50 +0400 From: admin Organization: UniNet User-Agent: Debian Thunderbird 1.0.2 (X11/20070113) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ian Smith References: In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ipfw limit src-addr woes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Feb 2007 16:38:19 -0000 Ian Smith wrote: > On Mon, 19 Feb 2007, admin wrote: > > Ian Smith wrote: > > > On Mon, 19 Feb 2007, admin wrote: > > > > Andre Santos wrote: > > > > > On 2/18/07, admin wrote: > > > > > > > > > >> Hi, I'm trying to use ipfw's limit clause to limit the number of > > > > >> connections a single IP can have at the same time in a transparent > > > > >> web-proxy environment: > > > > >> > > > > >> 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port > > > > >> 80 in via if0 setup limit src-addr 10 > > > > >> 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80 > > > > >> ... the rest fwd... > > > > >> > > > > >> as I understand the manpage, when the current number of connectiions is > > > > >> below 10, the action "skipto" is performed, else, the packet is dropped > > > > >> and the search terminates. But... > > > > > > No, a packet is not dropped on a condition that fails a skipto test. > > > > > The manpage doesn't make this point clear. > > You pretty much have to read it all .. several times .. a year. One of > the things you note is that each rule is tested until a packet is either > allowed or denied by a rule, even until '65535 deny ip from any to any'. > > > limit {src-addr | src-port | dst-addr | dst-port} N > > The firewall will only allow N connections with the same > > set of parameters as specified in the rule. > > Yes, for this rule. It still needs to be applied to an allow or deny > (or forward, divert etc, anything that terminates the search). > > > To limit the number of connections a user can open you can use the > > following type of rules: > > ipfw add allow tcp from my-net/24 to any setup limit src-addr 10 > > ipfw add allow tcp from any to me setup limit src-addr 4 > > Yes. Notice that these are allow rules, so the search terminates when > successfully matched. It is assumed you'll later have rule/s denying > what you've not allowed. True, this is not stated with every example. > > > I'm assuming the packet gets silently dropped when the limit is > > overloaded but gets acted upon otherwise due to the stateful "limit" > > behaviour (keep-state in disguise). Just do a "skipto" when there's a > > state entry and that's it. And that's why the counter grows for > > established connections too, even though there's a "setup" modifier. > > Can't tell without seeing your whole ruleset, but now that you know that > the skipto rule has NOT dropped the setup packets that don't match that > rule (including those exceeding the src-addr limit), I suspect you'll > find another rule has allowed them, on some other condition, later on. > Wrong: the implied "check-state" done by the "limit" lets the connection through (i.e. performs the action) iff there's state recorded for it (src-addr+src-port+dst-addr+dst-port). If however it's a SYN packet incoming and the number of current states is trying to cross the limit, the SYN packet is implicitly dropped and the search terminates. This is not to say that I completely understand the things going on when the connections start building up (different timeouts?) but the above conclusion is based on what simulation has shown. The whole ruleset fits on one screen, there's an "allow ip from any to any" in the end, so I'm pretty sure I'm not crazy :-) > > As for the problem, it seems to me that all this noise is because of > > different timeouts in ipfw and TCP layer/whatever. The dynamic state > > entry for a connection expires while netstat -na still show the > > connection as ESTABLISHED, or, worse, the state entry is still there but > > the corresponding connection is in some half-closed state (FIN_WAIT_2, > > CLOSE_WAIT, LAST_ACK). The first case allows many more connections than > > "limit", while the second case won't let many good clients connect due > > to their buggy browsers not closing connections and letting the count > > build up. Could this be it? > > I don't believe so. They can only have been established in the first > place if the setup packet has been, somewhere in your ruleset, allowed. > Yup. Then, after setting up the connections, the state times out earlier than the actual connection shown by netstat! Gotta play a bit more with the *_lifetime sysctls... And yes (answering to someone else on the list), net.inet.ip.fw.dyn_keepalive is on: I don't tend to mess with the default values of things I don't understand or care about... only what's absolutely necessary. > Here it seems they're allowed (at least the ones from x.x.x.x/x) by the > fwd at 401 which has no 'setup' constraint, and will fwd both setup AND > established packets from x.x.x.x/x .. other rules, y and z, presumably. > > Replaying .. trying not to do quite so much in one rule, but given you > can't just 'allow' here, since you want to run your fwd rules later: > > > 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port \ > > 80 in via if0 setup limit src-addr 10 > > 00350 skipto 370 tcp from ${thatmob} to any dst-port 80 in via if0 > 00360 skipto 401 ip from any to any # bit clunky, but !(all that) > > 00370 skipto 401 tcp from any to any setup limit src-addr 10 # goodies > 00380 deny tcp from any to any # else baddies > > > 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80 > > ... the rest fwd... Rule 380 is good for capturing bogus or late-coming connection packets (when state entry has already expired). Once again, its use for denying over-limit connection attempts is debatable as "limit" will already have done that. > > FWIW: not only have I never used limit src-addr, but neither forward > with keep-state rules, so I could be talking ${hit} .. caveat bloggor. > > Cheers, Ian > > I should've read the mail backwards :-) Then please don't pay any attention to what I wrote.