From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 27 23:29:01 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C176B16AA37 for ; Tue, 27 Feb 2007 23:29:01 +0000 (UTC) (envelope-from nikola@vlaeonline.com) Received: from munem.it-box.org (munem.it-box.org [67.159.30.92]) by mx1.freebsd.org (Postfix) with ESMTP id 8EA0413C474 for ; Tue, 27 Feb 2007 23:29:01 +0000 (UTC) (envelope-from nikola@vlaeonline.com) Received: from Nikola (unknown [85.30.84.199]) by munem.it-box.org (Postfix) with ESMTP id 1D8E237F70002; Tue, 27 Feb 2007 18:23:19 -0500 (EST) Message-ID: <001701c75ac7$09c14000$02170a0a@Nikola> From: "Nikola Stojanoski" To: "Jordi Moles" References: <45E2AA23.3020901@cdmon.com> <001401c759b3$1c169ad0$02170a0a@Nikola> <45E45632.40304@cdmon.com> Date: Wed, 28 Feb 2007 00:28:40 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw along with netstat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Feb 2007 23:29:01 -0000 Hi, it will count the number of established sessions from a host or to a host, so if you set it: ipfw add allow tcp from any to me 80 limit dst-addr 10 it will limit to 10 established connection to your http server from any ip and if you set it like this: ipfw add allow tcp from any to any 80 limit src-addr 10 it will limit to 10 established connections to your http server from 1 ip or you can use: ipfw add allow tcp from any to any 80 limit src-addr 10 ipfw add allow tcp from any to me 80 limit dst-addr 100 so you will limit 10 established connections per ip, and maximum 100 connections to your http server also if you do ssh or some other limiting you should add anti-locking rule so you can login if you are flooded it's something like this: ipfw add allow tcp from local/net to any 22 ipfw add allow tcp from any to any 22 limit src-addr 10 ipfw add allow tcp from any to me 22 limit dst-addr 100 this way you will not limit connections from your local net and if you get flooded you can login to your box i hope you will find this usefull Regards ----- Original Message ----- From: "Jordi Moles" To: "Nikola Stojanoski" Cc: Sent: Tuesday, February 27, 2007 5:02 PM Subject: Re: ipfw along with netstat > hi, > > thanks for the information, it works great!! > > I've got another question related to this... how does ipfw actually count > the number of ip addresses? I mean... let's say i set up the firewall to > only accept 50 connections. ? does it count 50 connexions per second? 50 > during a minute? or what? > > thanks. > > En/na Nikola Stojanoski ha escrit: >> you can use limit for that. here is the part about limit in ipfw manual: >> >> limit {src-addr | src-port | dst-addr | dst-port} N >> The firewall will only allow N connections with the same set >> of >> parameters as specified in the rule. One or more of source >> and >> destination addresses and ports can be specified. >> >> so a simple way to limit max connections per ip is: >> >> ipfw add allow ip from any to any limit src-addr 100 >> >> this way you will limiit yourself also with 100 connections per ip, but >> you can play around with recv, xmit, via and other settings to fit your >> needs >> >> Regards >> >> ----- Original Message ----- From: "Jordi Moles" >> To: >> Sent: Monday, February 26, 2007 10:36 AM >> Subject: ipfw along with netstat >> >> >>> hi, >>> >>> I've done a lot of research about that but found anything like i need. >>> I'm running an ipfw firewall on a FreeBSD 6.1 and i wonder if ipfw can >>> add rules automatically when it detects, for example, that an ip address >>> has 100 connections open in the server. I'm doing a similar thing with a >>> perl script and netstat. The script counts how many connections an ip >>> address opened and it automatically adds a new rule to the firewall, but >>> I'm looking for a way in which ipfw does that on its own. >>> >>> thank you. >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"