[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf and rate limiting without ALTQ



On Thu, Jul 25, 2002 at 02:28:48PM +0200, Alexandre Dulaunoy wrote:
> On Thu, 25 Jul 2002, Gordon Grieder wrote:
> 
> > On Thu, Jul 25, 2002 at 11:00:35AM +0200, Alexandre Dulaunoy wrote:
> > > 	Can you generate a RST or an ICMP respond when the rate is reached 
> > > with ALTQ ? The usage and the purpose is not the same. 
> > 
> > Assuming you mean control traffic, ALTQ can be configured to reserve
> > a certain percent (or bytes) of bandwidth for this.
> 	
> 	I mean to reject connection when a specific number of current 
> established connection is reached.

a-ha!

okay. -current pf can do that, even given the intention of "keep state (max
x)" was a different one. Still, this does belong into the daemon and not the
packet filter.

> no more connection accepted. Is it more a matter for a packet filter, 
> queueing or other (userspace daemon) ? 

that'd be a matter for sshd itself.

-- 
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)



Visit your host, monkey.org