One OR MORE of source and destination addresses?
Bill Moran
wmoran at potentialtech.com
Tue Aug 3 07:57:34 PDT 2004
Mark <admin at asarian-host.net> wrote:
> Mark wrote:
>
> > The goal is simple: I want to limit connections to port 25 to 32 in
> > total, targeted at "me". And of those 32, only 4 per source. Like so:
> >
> > ipfw add 1 check-state
> > ...
> > ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
> > ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4
> >
> > Please, tell me then how "all wrong" this is. Because I *still* get
> > the impression that rule 12 is never reached. And, so far, "ipfw
> > show" does, indeed, only show activity on rule 11.
>
> If at all possible, I would still like to hear a suggestion as to how to
> combine the two rules. From my pov, the first "allow" in rule 11 makes a
> packet pass, provided there are less then 32 connections in total. Thus,
> rule 12 never gets invoked (which, indeed, seems to be the case).
How about using skipto instead of allow? Thus, if it passes the first one,
it can just skipto the next rule to be checked. i.e.:
ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4
Thus, if rule 11 pases, it skips to rule 12. If it fails, it should reject
as always. The end result is that a packet _must_ pass both rules to be
allowed.
Note that I haven't tried this, so I could be wrong in how it works.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the freebsd-questions
mailing list