Date: Mon, 02 Aug 2004 16:08:01 GMT From: Mark <admin@asarian-host.net> To: <freebsd-questions@freebsd.org> Subject: Re: One OR MORE of source and destination addresses? Message-ID: <200408021608.I72G81RM006022@asarian-host.net>
next in thread | raw e-mail | index | archive | help
[my apologies for the resent; my last reply had an unfortunate wrap]
Mark wrote:
> Color me confused. The ipfw manual says:
>
> limit {src-addr | src-port | dst-addr | dst-port} N
> The firewall will only allow N connections with the same set of
> parameters as specified in the rule. One or more of source and
> destination addresses and ports can be specified.
>
> If "One or more of source and destination addresses and ports can be
> specified", then I'd like to limit both the total amount of
> connections, as well as per-src. Something like this:
>
> ipfw check-state ipfw add allow tcp from any to me 25 setup limit
> dst-addr 32 src-addr 8
>
> The error I get is:
>
> "ipfw: only one of keep-state and limit is allowed"
>
> So, how can I specify "One OR MORE of source and destination
> addresses" in the rule to achieve this effect?
Thanks for your reply.
JJB wrote:
> Like the manual says, you can not code both options on single rule.
> You have to make 2 rules out of it.
>
> state ipfw add allow tcp from any to me 25 setup limit dst-addr 32
> state ipfw add allow tcp from any to me 25 setup limit src-addr 8
Actually, that is what I had already done:
ipfw add 10 check-state
ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 check-state
ipfw add 13 allow tcp from any to me 25 setup limit src-addr 4
But it seems I never get to rule 12/13. All "ipfw show" shows, is activity
on rule 10/11. That is why I figured I made an error somewhere. Does not
rule 11, indeed, function as an 'early-out'? (undesired).
Thanks,
- Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408021608.I72G81RM006022>