ipfw limit src-addr woes
Julian Elischer
julian at elischer.org
Tue Feb 20 23:20:00 UTC 2007
admin wrote:
>
> Wrong: the implied "check-state" done by the "limit" lets the connection
> through (i.e. performs the action) iff there's state recorded for it
> (src-addr+src-port+dst-addr+dst-port). If however it's a SYN packet
> incoming and the number of current states is trying to cross the limit,
> the SYN packet is implicitly dropped and the search terminates.
>
> This is not to say that I completely understand the things going on when
> the connections start building up (different timeouts?) but the above
> conclusion is based on what simulation has shown. The whole ruleset fits
> on one screen, there's an "allow ip from any to any" in the end, so I'm
> pretty sure I'm not crazy :-)
One thing to keep in mind is that a 'check-state' rule works by effectively
jumping to the rule that did the 'keep-state' and re-executing it..
(and incrementing its stats).
More information about the freebsd-net
mailing list