ipfw limit src-addr woes

Abdullah Ibn Hamad Al-Marri almarrie at gmail.com
Sun Feb 18 06:19:45 UTC 2007

On 2/17/07, admin <admin at azuni.net> wrote:
> Hi, I'm trying to use ipfw's limit clause to limit the number of
> connections a single IP can have at the same time in a transparent
> web-proxy environment:
> 00350 skipto 401 tcp from x.x.x.x/x,y.y.y.y/y,z.z.z.z/z to any dst-port
> 80 in via if0 setup limit src-addr 10
> 00401 fwd local.ip.ad.dr,8080 tcp from x.x.x.x/x to any dst-port 80
> ... the rest fwd...
> the problem is that the src-addr limit is not enforced for some nasty
> clients that open a huge number (3-5 times the prescribed value) of
> www-connections to some single address Out There, forcing you to bump up
> certain sysctl variables (such as kern.ipc.nmbclusters,
> kern.ipc.maxsockets, etc.) to mitigate the DOS effects. What might be
> going on? Is ipfw broken, or am I misusing it?
> OS: FreeBSD 6.2

I would go for pf instead of ipfw for that job ;)


-Abdullah Ibn Hamad Al-Marri
Arab Portal

More information about the freebsd-questions mailing list