One OR MORE of source and destination addresses?

JJB Barbish3 at adelphia.net
Mon Aug 2 09:32:48 PDT 2004 

Your rules are all wrong. You really need to reread the ipfw manual
page info. Only one check-state rule is used. Your other check-state
rule is never matched.


Here is a rewrite of the FreeBSD handbook firewall section with
examples that will answer your questions.

www.a1poweruser.com/FBSD_firewall/


To get meaningful replies you have to post complete information
about your system configuration with description of your overall
firewall goals.





-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mark
Sent: Monday, August 02, 2004 12:08 PM
To: freebsd-questions at freebsd.org
Subject: Re: One OR MORE of source and destination addresses?

[my apologies for the resent; my last reply had an unfortunate wrap]

Mark wrote:

> Color me confused. The ipfw manual says:
>
>     limit {src-addr | src-port | dst-addr | dst-port} N
>     The firewall will only allow N connections with the same set
of
>     parameters as specified in the rule. One or more of source and
>     destination addresses and ports can be specified.
>
> If "One or more of source and destination addresses and ports can
be
> specified", then I'd like to limit both the total amount of
> connections, as well as per-src. Something like this:
>
> ipfw check-state ipfw add allow tcp from any to me 25 setup limit
> dst-addr 32 src-addr 8
>
> The error I get is:
>
> "ipfw: only one of keep-state and limit is allowed"
>
> So, how can I specify "One OR MORE of source and destination
> addresses" in the rule to achieve this effect?

Thanks for your reply.

JJB wrote:

> Like the manual says, you can not code both options on single
rule.
> You have to make 2 rules out of it.
>
> state ipfw add allow tcp from any to me 25 setup limit dst-addr 32
> state ipfw add allow tcp from any to me 25 setup limit src-addr 8

Actually, that is what I had already done:

ipfw add 10 check-state
ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 check-state
ipfw add 13 allow tcp from any to me 25 setup limit src-addr 4

But it seems I never get to rule 12/13. All "ipfw show" shows, is
activity
on rule 10/11. That is why I figured I made an error somewhere. Does
not
rule 11, indeed, function as an 'early-out'? (undesired).

Thanks,

- Mark

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list