Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Feb 2007 15:19:57 -0800
From:      Julian Elischer <julian@elischer.org>
To:        admin <admin@azuni.net>
Cc:        freebsd-net@freebsd.org, Ian Smith <smithi@nimnet.asn.au>, freebsd-questions@freebsd.org
Subject:   Re: ipfw limit src-addr woes
Message-ID:  <45DB821D.4050508@elischer.org>
In-Reply-To: <45D9D25E.1050007@azuni.net>
References:  <Pine.BSF.3.96.1070219235025.26249C-100000@gaia.nimnet.asn.au> <45D9D25E.1050007@azuni.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
admin wrote:

> 
> Wrong: the implied "check-state" done by the "limit" lets the connection 
> through (i.e. performs the action) iff there's state recorded for it 
> (src-addr+src-port+dst-addr+dst-port). If however it's a SYN packet 
> incoming and the number of current states is trying to cross the limit, 
> the SYN packet is implicitly dropped and the search terminates.
> 
> This is not to say that I completely understand the things going on when 
> the connections start building up (different timeouts?) but the above 
> conclusion is based on what simulation has shown. The whole ruleset fits 
> on one screen, there's an "allow ip from any to any" in the end, so I'm 
> pretty sure I'm not crazy :-)

One thing to keep in mind is that a 'check-state' rule works by effectively 
jumping to the rule that did the 'keep-state' and re-executing it..
(and incrementing its stats).





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?45DB821D.4050508>