ipfw connections limit

B

bsdfunn

Hello

It is possible to limit udp connections with ipfw ?
In freebsd docs page explained only tcp
Code: 
 ipfw add allow tcp from my-net/24 to any setup limit src-addr 10
	   ipfw add allow tcp from any to me setup limit src-addr 4

     The former (assuming it runs on a gateway) will allow each host on a /24
     network to open at most 10 TCP connections.  The latter can be placed on
     a server to make sure that a single client does not use more than 4
     simultaneous connections.

I am truing to limit tcp,udp separately,and both wite these rules like :
Code: 
#!/bin/sh

       cmd="ipfw -q"

#--- reseting ---

        $cmd flush
        $cmd pipe flush
        $cmd queue flush
        $cmd table all flush


#----Table 1-------------------------	
        $cmd table 1 add net1/24
        $cmd table 1 add net2/24
        $cmd table 1 add net3/24
        $cmd table 1 add net4/24

# ------ FW ----------------------
#$cmd add allow tcp from "table(1)" to any setup limit src-addr 200
#$cmd add allow ip  from "table(1)" to any setup limit src-addr 200
#$cmd add allow udp from "table(1)" to any setup limit src-addr 200
$cmd add allow { tcp or udp } from "table(1)" to any setup limit src-addr 200

But in security log i can see that only port 80 tcp connection are droped (and any other,but can't understad tcp,or udp):

Code: 
Aug 13 11:24:30 core kernel: ipfw: 1200 drop session ip:37341 -> 213.91.247.144:21416, too many entries
Aug 13 11:24:34 core kernel: ipfw: 1200 drop session ip:37357 -> 85.14.4.130:80, too many entries
Aug 13 11:24:38 core kernel: ipfw: 1200 drop session ip:37372 -> 79.124.67.133:80, too many entries
Aug 13 11:24:43 core kernel: ipfw: 1200 drop session ip:37398 -> 79.124.67.133:80, too many entries
Aug 13 11:24:44 core kernel: ipfw: 1200 drop session ip:37407 -> 79.124.67.133:80, too many entries
Aug 13 11:24:50 core kernel: ipfw: 1200 drop session ip:37430 -> 85.14.4.135:80, too many entries

core# ipfw -d show | fgrep ip | wc -l
      201
core# ipfw -d show | fgrep ip | wc -l
      201
core# ipfw -d show | fgrep ip | wc -l
      201
core# ipfw -d show | fgrep ip | wc -l
     201
core# ipfw -d show | fgrep ip | wc -l
     201
 
Code: 
#$cmd add allow [B]ip[/B]  from "table(1)" to any [B]setup[/B] limit src-addr 200
#$cmd add allow [B]udp[/B] from "table(1)" to any [B]setup[/B] limit src-addr 200

ip and udp do not have setup - it is only tcp related stuff...
You ipfw ruleset is incorrect. Do not use "setup" keyword with them.
 
terminus said:
Code: 
#$cmd add allow [B]ip[/B]  from "table(1)" to any [B]setup[/B] limit src-addr 200
#$cmd add allow [B]udp[/B] from "table(1)" to any [B]setup[/B] limit src-addr 200

ip and udp do not have setup - it is only tcp related stuff...
You ipfw ruleset is incorrect. Do not use "setup" keyword with them.
Click to expand...


Hm,just testing again with ip rule,
Code: 
200    25712081    21202350406 Fri Aug 13 12:15:31 2010 allow ip from table(1) to any setup limit src-addr 200
 
Sorry to open this up again, it's because UDP is a stateless packet, the data is sent and doesn't check if the target is really there, unlike TCP which first makes a connection handshake using syn and then sends the data. So basically there is no connection, it just sends the data, that's it, and the server usually verifies if the packet is received while tcp makes a connection through SYN/ACK handshakes and then sends data, ..

This is also the reason why there is no option for this in the firewall because there isn't such a thing as a setup on udp connections :p
 
You must log in or register to reply here.
Back
Top