Date: Sun, 18 Feb 2007 09:19:44 +0300 From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com> To: admin <admin@azuni.net> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw limit src-addr woes Message-ID: <499c70c0702172219i1295ed07oefa63d7d8132a654@mail.gmail.com> In-Reply-To: <45D75F87.6050908@azuni.net> References: <45D75F87.6050908@azuni.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/17/07, admin <admin@azuni.net> wrote: > Hi, I'm trying to use ipfw's limit clause to limit the number of > connections a single IP can have at the same time in a transparent > web-proxy environment: > > 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port > 80 in via if0 setup limit src-addr 10 > 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80 > ... the rest fwd... > > the problem is that the src-addr limit is not enforced for some nasty > clients that open a huge number (3-5 times the prescribed value) of > www-connections to some single address Out There, forcing you to bump up > certain sysctl variables (such as kern.ipc.nmbclusters, > kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be > going on? Is ipfw broken, or am I misusing it? > > OS: FreeBSD 6.2 I would go for pf instead of ipfw for that job ;) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499c70c0702172219i1295ed07oefa63d7d8132a654>