ipfw / drop sessions / incoming http / keep-state

Brian bbayorgeon at new.rr.com
Sun Feb 6 22:16:41 PST 2005


I'm trying to sort out an issue with drop session error
messages...see below

Can some please explain what the difference / benefits
between the two possible firewall rules shown below?

I have been uncertain if I should use the keep-state
option for the incoming connections.  Incoming
Connections seen to work ok without keep-state,
But I also seem to get the drop session errors
When there are incoming http connections

Thanks for you help


>From firewall script

#$cmd 396 allow tcp from any to me 80 in via $oif setup limit src-addr 4
# Incoming http connections
 $cmd 396 allow tcp from any to me 80 in via $oif setup $ks
# Incoming http connections

>From Log File

Feb  6 12:03:25 rakort kernel: drop session, too many entries
Feb  6 12:03:51 rakort last message repeated 4 times
Feb  6 12:05:46 rakort last message repeated 13 times

More information about the freebsd-questions mailing list