Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Feb 2007 09:19:44 +0300
From:      "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com>
To:        admin <admin@azuni.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfw limit src-addr woes
Message-ID:  <499c70c0702172219i1295ed07oefa63d7d8132a654@mail.gmail.com>
In-Reply-To: <45D75F87.6050908@azuni.net>
References:  <45D75F87.6050908@azuni.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 2/17/07, admin <admin@azuni.net> wrote:
> Hi, I'm trying to use ipfw's limit clause to limit the number of
> connections a single IP can have at the same time in a transparent
> web-proxy environment:
>
> 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
> 80 in via if0 setup limit src-addr 10
> 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
> ... the rest fwd...
>
> the problem is that the src-addr limit is not enforced for some nasty
> clients that open a huge number (3-5 times the prescribed value) of
> www-connections to some single address Out There, forcing you to bump up
> certain sysctl variables (such as kern.ipc.nmbclusters,
> kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
> going on? Is ipfw broken, or am I misusing it?
>
> OS: FreeBSD 6.2

I would go for pf instead of ipfw for that job ;)

-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?499c70c0702172219i1295ed07oefa63d7d8132a654>