From nobody@FreeBSD.org  Mon Apr  1 20:31:34 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id E4E9637B400
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  1 Apr 2002 20:31:33 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g324VXN57456;
	Mon, 1 Apr 2002 20:31:33 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200204020431.g324VXN57456@freefall.freebsd.org>
Date: Mon, 1 Apr 2002 20:31:33 -0800 (PST)
From: Joe Barbish <barbish@a1poweruser.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: 4.5 man page on ipfw new option limit is way to vague.
X-Send-Pr-Version: www-1.0

>Number:         36642
>Category:       docs
>Synopsis:       4.5 man page on ipfw new option limit is way to vague.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 01 20:40:02 PST 2002
>Closed-Date:    Tue Aug 20 13:04:26 PDT 2002
>Last-Modified:  Tue Aug 20 13:04:26 PDT 2002
>Originator:     Joe Barbish
>Release:        4.5
>Organization:
>Environment:
>Description:
In FBSD version 4.5 there is a new ipfw rule option called limit.
Below is the man page on this option.

*******************************************************************
limit {src-addr | src-port | dst-addr | dst-port} N
    The firewall will only allow N connections with the same
    set of parameters as specified in the rule.  One or more
    of source and destination addresses and ports can be
    specified.


To limit the number of connections a user can open you can use the
following type of rules:


  ipfw add allow tcp from my-net/24 to any setup limit src-addr 10
  ipfw add allow tcp from any to me setup limit src-addr 4

The former (assuming it runs on a gateway) will allow each host 
on a /24 network to open at most 10 TCP connections.  
The latter can be placed on a server to make sure that a single client
 does not use more than 4 simultaneous connections.
*******************************************************************

I find this verbiage hard to comprehend what the author is trying to
 say.
using this example


ipfw add allow tcp from any to me setup limit src-addr 4

Is it saying that for each unique ip address in the src ip
address field it will allow up to 4 simultaneous connections.
So I would see

src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.11  rejected

or would I see

src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.12  accept
src_ip_addr 122.33.45.11  accept
src_ip_addr 122.33.45.11  rejected
src_ip_addr 122.33.45.12  rejected
src_ip_addr 122.33.45.12  rejected
src_ip_addr 122.33.45.11  rejected
src_ip_addr 122.33.45.11  rejected

How does Limit know when a packet has completed so as the remove it
from the count?

The real question is what is the limit option really doing and
how does he do it?

   
>How-To-Repeat:
      
>Fix:
Send me a detailed explanation that I can use to suggest some verbiage
to add to clarify how the limit option functions.
 
>Release-Note:
>Audit-Trail:

From: Josh Paetzel <friar_josh@webwarrior.net>
To: freebsd-gnats-submit@freebsd.org
Cc: barbish@poweruser.com
Subject: Re:docs/36642 (4.5 man page on ipfw new option limit is way to
	vague.)
Date: 17 Aug 2002 14:58:43 +0000

 <I find this verbiage hard to comprehend what the author is trying to
  <say.
 <using this example
 
 <ipfw add allow tcp from any to me setup limit src-addr 4
 
 <Is it saying that for each unique ip address in the src ip
 <address field it will allow up to 4 simultaneous connections.
 
 
 Look at the example in the man page: 
 The latter can be placed on a server to make sure that a single client
 does not use more than 4 simultaneous connections.
 
 >So I would see
 
 >src_ip_addr 122.33.45.11  accept
 >src_ip_addr 122.33.45.12  accept
 >src_ip_addr 122.33.45.12  accept
 >src_ip_addr 122.33.45.11  accept
 >src_ip_addr 122.33.45.11  accept
 >src_ip_addr 122.33.45.12  accept
 >src_ip_addr 122.33.45.12  accept
 >src_ip_addr 122.33.45.11  accept
 >src_ip_addr 122.33.45.11  rejected
 
 >or would I see 
 
 >src_ip_addr 122.33.45.11  accept
 >src_ip_addr 122.33.45.12  accept
 >src_ip_addr 122.33.45.12  accept
 >src_ip_addr 122.33.45.11  accept
 >src_ip_addr 122.33.45.11  rejected
 >src_ip_addr 122.33.45.12  rejected
 >src_ip_addr 122.33.45.12  rejected
 >src_ip_addr 122.33.45.11  rejected
 >src_ip_addr 122.33.45.11  rejected
 
 Well, according to the example in the man page, you would see what's
 behind door number 1.
 
     
 >How does Limit know when a packet has completed so as the remove it
 >from the count?
 
 One would assume that it uses a process similar or identical to natd. 
 It keeps a table of active connections.
 
 >The real question is what is the limit option really doing and
 >how does he do it?
 
 Limit is allowing ipfw a new way to tune their networks reaction under
 load, and/or allowing administrators more granularity in their
 filtering, (e.g. We only want 4 of our techs using irc at any one time.)
 
 I don't agree that a man page should explain every little detail about
 it's inner workings.  There are plenty of binaries that have been around
 for years with less documentation than this.  
 
 
 I recommend we close this pr out.
 
 Josh
 
 
State-Changed-From-To: open->closed 
State-Changed-By: ceri 
State-Changed-When: Tue Aug 20 13:03:06 PDT 2002 
State-Changed-Why:  
This is really a question. 
Please ask on questions@FreeBSD.org if you are still having problems 
understanding the syntax. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=36642 
>Unformatted:
