# Help with IPFW - strange behaviour?



## rhasson (Mar 3, 2011)

Hello!

I'm doing a setup of stateful rules with IPFW and I'm facing two strange situations.

The first one is about the check-state. I cannot see any activity on check-state (first rule) when I'm using keep-state rules...


```
00001      0         0 check-state
00003 180970 127688082 allow tcp from 189.0.0.0/8 to MYSERVER dst-port 80 setup keep-state
```
I can see that the dynamic rules is being created 

```
net.inet.ip.fw.dyn_count: 58
```
And the time out of rules is 30 seconds.

So, should be passing some connections on check-state as would have connections already opened?

And the second question is about limit src-addr usage.

If I do a rule like that: 

```
ipfw add 2 permit tcp from 189.0.0.0/8 to MYSERVER 80 limit src-addr 10
```

It will be limiting to 10 EACH connection of a source inside of class 189.0.0.0/8 OR it will be limited only 10 connections to ALL class 189.0.0.0/8?

I'm asking that because when I create this rule, some customers with IP 189.*.*.* sometimes cannot access the website WHILE others customers with same class (not same ip) 189.*.*.* CAN access it normally. 

If I delete the limit rule the customer with issue can access it exactly on time of rule deletion, so don't make sense to me some people accessing normally and some not with different IPS but same class.

I really would appreciate some help on that!

Thanks in advance


----------



## aragon (Mar 4, 2011)

rhasson said:
			
		

> The first one is about the check-state. I cannot see any activity on check-state (first rule) when I'm using keep-state rules...


You won't, by design.  The activity is counted in the keep-state rules that created the state entry.


----------



## rhasson (Mar 5, 2011)

*aragon,*

When should I use the check-state if the check is done on the keep-state? 

*DutchDaemon,*

Thanks for the Edit!

*All,*

About the second issue, I was analyzing the connections with the IP from the customer that sometimes cannot access the website, and the strange is that it's really using the 10 connections without any proper reason, seems that the connections get stucked and are not dropped after the end of communication, even with the customer browser closed I still can see the connections keep recycling forever as you can see below.



```
[root@gw /home/rafael]# ipfw -d show | grep CUSTOMERIP
00003    377    231104 (34s) LIMIT tcp CUSTOMERIP 21802 <-> MYSERVER 80
00003    253    161154 (49s) LIMIT tcp CUSTOMERIP 21793 <-> MYSERVER 80
00003    231    142148 (49s) LIMIT tcp CUSTOMERIP 21792 <-> MYSERVER 80
00003    111     17956 (49s) LIMIT tcp CUSTOMERIP 21798 <-> MYSERVER 80
00003    515    438808 (49s) LIMIT tcp CUSTOMERIP 21788 <-> MYSERVER 80
00003    171     70508 (49s) LIMIT tcp CUSTOMERIP 21791 <-> MYSERVER 80
00003    113     22394 (59s) LIMIT tcp CUSTOMERIP 21878 <-> MYSERVER 80
00003   1065    803760 (59s) LIMIT tcp CUSTOMERIP 21870 <-> MYSERVER 80
00003    489    353980 (24s) LIMIT tcp CUSTOMERIP 21857 <-> MYSERVER 80
00003      0         0 (0s) PARENT 10 tcp CUSTOMERIP 0 <-> 0.0.0.0 0
```

Appreciate some help 

Thanks,


----------

