ipfw2 loss of feature ? -- never mind...
Bruce Campbell
bruce at engmail.uwaterloo.ca
Sun Sep 14 16:00:52 PDT 2003
Quoting Bruce Campbell <bruce at engmail.uwaterloo.ca>:
>
>
> With ipfw1 on 4.8 I use this:
>
> ipfw add 10 check-state
> ipfw add 20 allow tcp from xxx.xxx.xxx.0/24 to any keep-state limit src-addr 10
>
> to provide stateful firewalling, and limit the number of simultaneous
> tcp sessions to 10 per client. Seems to work great.
>
> On 4.8 I tried ipfw2
>
> (kernel with options IPFW2 and rebuilt ipfw and libalias with -DIPFW2
> as instructed in "man ipfw")
>
> When I tried ipfw2, as I wanted keepalives, I get an error
> when I run "ipfw"
>
> only one of keep-state and limit is allowed
>
> How can I do both the stateful firewalling and limit
> the simultaneous sessions, with ipfw2 ?
doh, this works as expected (without the "keep-state" statement)...
ipfw add 20 allow tcp from me to any limit src-addr 2
and does the stateful stuff. Just a syntax nuance between
ipfw1 and ipfw2.
>
> Thanks
>
> ----
>
> ps. As an aside, I also patch /usr/src/sys/netinet/ip_fw.c to
> be more verbose when it drops a session...
>
> --- ip_fw.c Sun Sep 14 15:33:16 2003
> +++ ip_fw.old Sun Sep 14 15:31:10 2003
> @@ -999,9 +999,7 @@
> if (fw_verbose && last_log != time_second) {
> last_log = time_second;
> log(LOG_SECURITY | LOG_DEBUG,
> - "drop session 0x%08x %u -> 0x%08x %u, TOO many entries
> \n",
> - (args->f_id.src_ip), (args->f_id.src_port),
> - (args->f_id.dst_ip), (args->f_id.dst_port));
> + "drop session, too many entries\n");
> }
> return 1;
> }
>
>
> --
> Bruce Campbell
> Engineering Computing
> CPH-2374B
> University of Waterloo
> (519)888-4567 ext 5889
>
> ----------------------------------------
> This mail sent through www.mywaterloo.ca
>
--
Bruce Campbell
Engineering Computing
CPH-2374B
University of Waterloo
(519)888-4567 ext 5889
----------------------------------------
This mail sent through www.mywaterloo.ca
More information about the freebsd-questions
mailing list