ipfw limit src-addr woes
admin
admin at azuni.net
Sat Feb 17 20:30:10 UTC 2007
Hi, I'm trying to use ipfw's limit clause to limit the number of
connections a single IP can have at the same time in a transparent
web-proxy environment:
00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
80 in via if0 setup limit src-addr 10
00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
... the rest fwd...
the problem is that the src-addr limit is not enforced for some nasty
clients that open a huge number (3-5 times the prescribed value) of
www-connections to some single address Out There, forcing you to bump up
certain sysctl variables (such as kern.ipc.nmbclusters,
kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
going on? Is ipfw broken, or am I misusing it?
OS: FreeBSD 6.2
More information about the freebsd-questions
mailing list