[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Throttle connections from CIDR block?

On Wed, Aug 17, 2005 at 01:42:52PM +0800, Kent Ho wrote:
> Is there a way to throttle the number of connections from a CIDR block?
> e.g. Allow only 20 connections from the entire subnet.
> Is this possible?  At the moment I only able to limit per IP.
Yes, it's possible with per-rule limits: restricting the number of
states one rule may create, like
  pass ... from ... keep state (max 20)
As soon as this rule tries to create more than 20 concurrent state
entries, further connections are dropped.
The tricky part is to make sure ALL connections from that block use this
rule as last matching rule. For instance, if you have multiple rules for
that block, like
  pass ... from to any port 25 keep state (max 20)
  pass ... from to any port 80 keep state (max 20)
the limits are not linked, i.e. there may be 20 connections to port 25
as well as 20 connections to port 80 (for a total of 40 connections).
You can use tags to funnel multiple matching rules through one last
matching rule (with a single limit there), like
  pass ... from to any port 25 tag limited
  pass ... from to any port 80 tag limited
  pass ... tagged limited keep state (max 20)
The usual per-IP limiting options (source-track, max-src-nodes,
max-src-states, max-src-conn, and max-src-conn-rate) don't work per CIDR
block, however.