# ipfw connections limit



## bsdfunn (Aug 13, 2010)

Hello

It is possible to limit udp connections with ipfw ?
In freebsd docs page explained only tcp

```
ipfw add allow tcp from my-net/24 to any setup limit src-addr 10
	   ipfw add allow tcp from any to me setup limit src-addr 4

     The former (assuming it runs on a gateway) will allow each host on a /24
     network to open at most 10 TCP connections.  The latter can be placed on
     a server to make sure that a single client does not use more than 4
     simultaneous connections.
```

I am truing to limit tcp,udp separately,and both wite these rules like :

```
#!/bin/sh

       cmd="ipfw -q"

#--- reseting ---

        $cmd flush
        $cmd pipe flush
        $cmd queue flush
        $cmd table all flush


#----Table 1-------------------------	
        $cmd table 1 add net1/24
        $cmd table 1 add net2/24
        $cmd table 1 add net3/24
        $cmd table 1 add net4/24

# ------ FW ----------------------
#$cmd add allow tcp from "table(1)" to any setup limit src-addr 200
#$cmd add allow ip  from "table(1)" to any setup limit src-addr 200
#$cmd add allow udp from "table(1)" to any setup limit src-addr 200
$cmd add allow { tcp or udp } from "table(1)" to any setup limit src-addr 200
```
 
But in security log i can see that only  port 80 tcp connection are droped (and any other,but can't understad tcp,or udp):


```
Aug 13 11:24:30 core kernel: ipfw: 1200 drop session ip:37341 -> 213.91.247.144:21416, too many entries
Aug 13 11:24:34 core kernel: ipfw: 1200 drop session ip:37357 -> 85.14.4.130:80, too many entries
Aug 13 11:24:38 core kernel: ipfw: 1200 drop session ip:37372 -> 79.124.67.133:80, too many entries
Aug 13 11:24:43 core kernel: ipfw: 1200 drop session ip:37398 -> 79.124.67.133:80, too many entries
Aug 13 11:24:44 core kernel: ipfw: 1200 drop session ip:37407 -> 79.124.67.133:80, too many entries
Aug 13 11:24:50 core kernel: ipfw: 1200 drop session ip:37430 -> 85.14.4.135:80, too many entries

core# ipfw -d show | fgrep ip | wc -l
      201
core# ipfw -d show | fgrep ip | wc -l
      201
core# ipfw -d show | fgrep ip | wc -l
      201
core# ipfw -d show | fgrep ip | wc -l
     201
core# ipfw -d show | fgrep ip | wc -l
     201
```


----------



## terminus (Aug 13, 2010)

```
#$cmd add allow [B]ip[/B]  from "table(1)" to any [B]setup[/B] limit src-addr 200
#$cmd add allow [B]udp[/B] from "table(1)" to any [B]setup[/B] limit src-addr 200
```

ip and udp do not have *setup* - it is only tcp related stuff...
You ipfw ruleset is incorrect. Do not use "setup" keyword with them.


----------



## bsdfunn (Aug 13, 2010)

terminus said:
			
		

> ```
> #$cmd add allow [B]ip[/B]  from "table(1)" to any [B]setup[/B] limit src-addr 200
> #$cmd add allow [B]udp[/B] from "table(1)" to any [B]setup[/B] limit src-addr 200
> ```
> ...




Hm,just testing again with ip rule,

```
200    25712081    21202350406 Fri Aug 13 12:15:31 2010 allow ip from table(1) to any setup limit src-addr 200
```


----------



## Ofloo (May 17, 2011)

Sorry to open this up again, it's because UDP is a stateless packet, the data is sent and doesn't check if the target is really there, unlike TCP which first makes a connection handshake using syn and then sends the data. So basically there is no connection, it just sends the data, that's it, and the server usually verifies if the packet is received while tcp makes a connection through SYN/ACK handshakes and then sends data, ..

This is also the reason why there is no option for this in the firewall because there isn't such a thing as a setup on udp connections


----------

