Date: Sat, 3 Dec 2011 05:07:04 -0800 (PST) From: Blog Tieng Viet <blogtiengviet@yahoo.com> To: freebsd-ipfw@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: Limit src address may not work well: Message-ID: <1322917624.95519.YahooMailClassic@web161704.mail.bf1.yahoo.com> In-Reply-To: <1475430265.24464.1320253002379.JavaMail.root@mail-01.cse.ucsc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear all, =0A=0AI am using IPFW in FreeBSD 7.3-RELEASE.=0AI have some probl=
ems as following:=0A=0ALimit src address may not work well:=0A=0AFor exampl=
e, I want to limit google robot not over 1 connection establishment:=0A=0A$=
{fwcmd} add 5625 pass tcp from 66.249.0.0/16 to me 80 limit src-addr 1=0A=
=0ABut I saw there are about 6 ESTABLISMENT of this address in the results =
of "netstat -n"=0A=0AIs it my wrong, please give me an advice.=0A=0ABest re=
gards.=0A=0A=0A--- On Thu, 11/3/11, Tim Gustafson <tjg@soe.ucsc.edu> wrote:=
=0A=0A> From: Tim Gustafson <tjg@soe.ucsc.edu>=0A> Subject: Re: IPFW Proble=
ms=0A> To: "Michael Sierchio" <kudzu@tenebras.com>=0A> Cc: freebsd-ipfw@fre=
ebsd.org=0A> Date: Thursday, November 3, 2011, 1:56 AM=0A> > You may want t=
o tweak the sysctl=0A> items that control the lifespan=0A> > of dynamic rul=
es.=0A> > =0A> > sysctl net.inet.ip.fw=0A> > =0A> > in particular, the defa=
ult value of=0A> net.inet.ip.fw.dyn_ack_lifetime=0A> > is probably way too =
long for your purposes.=0A> =0A> Here's what I have right now:=0A> =0A> roo=
t@bsd-02: sysctl net.inet.ip.fw=0A> net.inet.ip.fw.static_count: 48=0A> net=
.inet.ip.fw.default_to_accept: 0=0A> net.inet.ip.fw.tables_max: 128=0A> net=
.inet.ip.fw.default_rule: 65535=0A> net.inet.ip.fw.verbose_limit: 0=0A> net=
.inet.ip.fw.verbose: 0=0A> net.inet.ip.fw.autoinc_step: 100=0A> net.inet.ip=
.fw.one_pass: 1=0A> net.inet.ip.fw.enable: 1=0A> net.inet.ip.fw.dyn_keepali=
ve: 1=0A> net.inet.ip.fw.dyn_short_lifetime: 5=0A> net.inet.ip.fw.dyn_udp_l=
ifetime: 10=0A> net.inet.ip.fw.dyn_rst_lifetime: 1=0A> net.inet.ip.fw.dyn_f=
in_lifetime: 1=0A> net.inet.ip.fw.dyn_syn_lifetime: 20=0A> net.inet.ip.fw.d=
yn_ack_lifetime: 300=0A> net.inet.ip.fw.dyn_max: 32768=0A> net.inet.ip.fw.d=
yn_count: 805=0A> net.inet.ip.fw.curr_dyn_buckets: 256=0A> net.inet.ip.fw.d=
yn_buckets: 256=0A> =0A> I'm assuming that's in seconds.=A0 Is 300 seconds =
too=0A> long?=A0 It seems like the dynamic rules are hanging=0A> around for=
hours or days, and I think the timeout is getting=0A> reset by the fact th=
at the system is constantly sending out=0A> ACK packets to clients that are=
n't acknowledging them.=0A> =0A> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=0A> Tim Gustafson=A0 =A0 =A0 =A0 =A0 =
=A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=0A> =A0 =A0 tjg@soe.ucsc.edu=0A> Baskin School of Engineering=A0 =A0 =A0 =
=A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0=0A> =A0=A0=
=A0831-459-5354=0A> UC Santa Cruz=A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0=A0=A0Baskin=0A> Engineering=
317B=0A> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=0A> _______________________________________________=0A> freeb=
sd-ipfw@freebsd.org=0A> mailing list=0A> http://lists.freebsd.org/mailman/l=
istinfo/freebsd-ipfw=0A> To unsubscribe, send any mail to "freebsd-ipfw-uns=
ubscribe@freebsd.org"=0A>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1322917624.95519.YahooMailClassic>