[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Throttle connections from CIDR block?



On 8/17/05, Daniel Hartmeier <[email protected]> wrote:
> On Wed, Aug 17, 2005 at 01:42:52PM +0800, Kent Ho wrote:
> > Is there a way to throttle the number of connections from a CIDR block?
> >
> > e.g. Allow only 20 connections from the entire 192.168.2.0/24 subnet.
. . .
> Yes, it's possible with per-rule limits: restricting the number of
> states one rule may create, like
>
> pass ... from 192.168.2.0/24 ... keep state (max 20)
Hey, that's a cool feature I hadn't noticed.
Unfortunately, just like queueing, you have to know which specific networks
your traffic is coming from in order to control the rate, whereas for a
web server you probably want to limit sessions and bandwidth for
any and all arbitrary /24 blocks.
How well can pf optimize a ~10 million line policy?
> The usual per-IP limiting options (source-track, max-src-nodes,
> max-src-states, max-src-conn, and max-src-conn-rate) don't work per CIDR
> block, however.
Some applications include code to throttle the number of concurrent
inbound connections from any CIDR block, this is a common request
for SMTP listeners.