> при использовании ipfw queue +limit
>
>${fwcmd} pipe "${rule}1" config bw ${bwf_out}Kbit/s
>${fwcmd} pipe "${rule}2" config bw ${bwf_in}Kbit/s
>${fwcmd} queue "${rule}1" config pipe "${rule}1"
>${fwcmd} queue "${rule}2" config pipe "${rule}2"
>${fwcmd} add "${rule}3" queue "${rule}3" all from $ip to any via "${if_shape}"
>limit src-addr ${N_con}
>${fwcmd} add "${rule}4" queue "${rule}4" all from any to $ip via "${if_shape}"
>limit dst-addr ${N_con}
>
> происходит такая штука,
> уже существующие сессии при появлении новых - просто обрываються,
> пример: N_con=10, ssh(2 минуты в idle) при отрытии http(4-8 connections), ssh
>- обрываеться.
>
>есть идеи ? Limit относится к stateful firewall
man ipfw
STATEFUL FIREWALL
Stateful operation is a way for the firewall to dynamically create rules
for specific flows when packets that match a given pattern are detected.
Support for stateful operation comes through the check-state, keep-state
and limit options of rules.
....
Dynamic rules expire after some time, which depends on the status of the
flow and the setting of some sysctl variables. See Section SYSCTL
VARIABLES for more details. For TCP sessions, dynamic rules can be
instructed to periodically send keepalive packets to refresh the state of
the rule when it is about to expire.