ipfw limit src-addr woes

admin admin at azuni.net
Sat Feb 17 20:30:10 UTC 2007

Hi, I'm trying to use ipfw's limit clause to limit the number of 
connections a single IP can have at the same time in a transparent 
web-proxy environment:

00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port 
80 in via if0 setup limit src-addr 10
00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
... the rest fwd...

the problem is that the src-addr limit is not enforced for some nasty 
clients that open a huge number (3-5 times the prescribed value) of 
www-connections to some single address Out There, forcing you to bump up 
certain sysctl variables (such as kern.ipc.nmbclusters, 
kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be 
going on? Is ipfw broken, or am I misusing it?

OS: FreeBSD 6.2

More information about the freebsd-questions mailing list