Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Feb 2007 15:19:57 -0800
From:      Julian Elischer <>
To:        admin <>
Cc:, Ian Smith <>,
Subject:   Re: ipfw limit src-addr woes
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
admin wrote:

> Wrong: the implied "check-state" done by the "limit" lets the connection 
> through (i.e. performs the action) iff there's state recorded for it 
> (src-addr+src-port+dst-addr+dst-port). If however it's a SYN packet 
> incoming and the number of current states is trying to cross the limit, 
> the SYN packet is implicitly dropped and the search terminates.
> This is not to say that I completely understand the things going on when 
> the connections start building up (different timeouts?) but the above 
> conclusion is based on what simulation has shown. The whole ruleset fits 
> on one screen, there's an "allow ip from any to any" in the end, so I'm 
> pretty sure I'm not crazy :-)

One thing to keep in mind is that a 'check-state' rule works by effectively 
jumping to the rule that did the 'keep-state' and re-executing it..
(and incrementing its stats).

Want to link to this message? Use this URL: <>