From owner-freebsd-questions@FreeBSD.ORG  Sun Feb 18 15:37:50 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BF7E616A408
	for <freebsd-questions@freebsd.org>;
	Sun, 18 Feb 2007 15:37:50 +0000 (UTC)
	(envelope-from dit-is-een-zinloze-spampoging@jeremino.homeunix.net)
Received: from jeremina.homeunix.net (jeremino.xs4all.nl [82.95.51.38])
	by mx1.freebsd.org (Postfix) with ESMTP id 792DF13C47E
	for <freebsd-questions@freebsd.org>;
	Sun, 18 Feb 2007 15:37:50 +0000 (UTC)
	(envelope-from dit-is-een-zinloze-spampoging@jeremino.homeunix.net)
Received: from [127.0.0.1] (helo=localhost)
	by jeremina.homeunix.net with esmtp (Exim 4.60 (FreeBSD))
	(envelope-from <dit-is-een-zinloze-spampoging@jeremino.homeunix.net>)
	id 1HIo6n-0000LZ-9S
	for freebsd-questions@freebsd.org; Sun, 18 Feb 2007 16:37:49 +0100
From: Kees Plonsz <dit-is-een-zinloze-spampoging@jeremino.homeunix.net>
To: freebsd-questions@freebsd.org
Date: Sun, 18 Feb 2007 16:37:49 +0100
References: <list.freebsd.questions#45D85EA3.2050102@azuni.net>
Lines: 38
Organization: Chaos
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7Bit
X-Face: dtAN(p3{]qk\XP?#Z/w4D6D%"{t}6EFQIEv.YCM-L).KZ#M-1|:kgToZn*t!H^|(gS/A9MOa#T]^~A:sn=q[vw\n8S"<V"(jr*ZzHgxl;
	>QP97/MLO}L[Jq*5f+&lY_8ij@3; sbZ/>F$[*hrNX`hu/e<VrG(gr;
	!$iRVnfPI/r.-hV&m\Y7Owz9w$*7`f2?y~t2c~G|#v$cb7lAY1Y:ZJ*1n|Bp[':~?rw^q_PdCZyC7O!:Z~rB72Q$G!;
	j<VF~'Z4OC6A+>(\%m.kc~(EV#knmO@,9$615zns'>?E_?[bWyW%-Jp=Gj?oB9P`h8ua@C0_g/!K__/'EP^i;
	kBAjRTa/hoV
Message-Id: <20070218153750.792DF13C47E@mx1.freebsd.org>
Subject: Re: ipfw limit src-addr woes
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Feb 2007 15:37:50 -0000

admin wrote in msgid:
<list.freebsd.questions#45D85EA3.2050102@azuni.net>

> Hi, I'm trying to use ipfw's limit clause to limit the number of
> connections a single IP can have at the same time in a transparent
> web-proxy environment:
> 
> 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
> 80 in via if0 setup limit src-addr 10
> 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
> ... the rest fwd...
> 
> as I understand the manpage, when the current number of connectiions is
> below 10, the action "skipto" is performed, else, the packet is dropped
> and the search terminates. But...
> 
> the problem is that the src-addr limit is not enforced as some clients
> somehow open a huge number (3-5 times the prescribed value) of
> www-connections to some single address Out There, forcing you to bump up
> certain sysctl variables (such as kern.ipc.nmbclusters,
> kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
> going on? Is ipfw broken, or am I misusing it?
> 
> OS: FreeBSD 6.2


I tested ipfw with the "limit" option and it works just fine.
I can open only one http connection from "194.109.21.3" and hangs on
opening a second one with an error in the logfile.


rule:
# add 03000 allow log logamount 50 tcp from any to any dst-port 80 in limit dst-addr 1

My logfile:
Feb 18 16:16:57 jeremino kernel: ipfw: 3000 Accept TCP 194.109.21.3:3626 10.0.0.6:80 in via dc1
Feb 18 16:16:58 jeremino kernel: drop session, too many entries