Re: One OR MORE of source and destination addresses?
From: Mark (admin_at_asarian-host.net)
Date: 08/02/04
- Previous message: Osmany Guirola Cruz: "Ports Index"Portsman""
- In reply to: JJB: "RE: One OR MORE of source and destination addresses?"
- Next in thread: Mark: "Re: One OR MORE of source and destination addresses?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 02 Aug 2004 16:02:53 GMT To: <freebsd-questions@freebsd.org>
Mark wrote:
> Color me confused. The ipfw manual says:
>
> limit {src-addr | src-port | dst-addr | dst-port} N
> The firewall will only allow N connections with the same set of
> parameters as specified in the rule. One or more of source and
> destination addresses and ports can be specified.
>
> If "One or more of source and destination addresses and ports can be
> specified", then I'd like to limit both the total amount of
> connections, as well as per-src. Something like this:
>
> ipfw check-state ipfw add allow tcp from any to me 25 setup limit dst-addr
> 32 src-addr 8
>
> The error I get is:
>
> "ipfw: only one of keep-state and limit is allowed"
>
> So, how can I specify "One OR MORE of source and destination
> addresses" in the rule to achieve this effect?
Thanks for your reply.
JJB wrote:
> Like the manual says, you can not code both options on single rule. You
> have to make 2 rules out of it.
>
> state ipfw add allow tcp from any to me 25 setup limit dst-addr 32
> state ipfw add allow tcp from any to me 25 setup limit src-addr 8
Actually, that is what I had already done:
ipfw add 10 check-state ipfw add 11 allow tcp from any to me 25 setup limit
dst-addr 32 ipfw add 12 check-state ipfw add 13 allow tcp from any to me 25
setup limit src-addr 4
But it seems I never get to rule 12/13. All "ipfw show" shows, is activity
on rule 10/11. That is why I figured I made an error somewhere. Does not
rule 11, indeed, function as an 'early-out'? (undesired).
Thanks,
- Mark
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Osmany Guirola Cruz: "Ports Index"Portsman""
- In reply to: JJB: "RE: One OR MORE of source and destination addresses?"
- Next in thread: Mark: "Re: One OR MORE of source and destination addresses?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
