[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf and rate limiting without ALTQ

On Thu, Jul 25, 2002 at 10:56:25PM +1000, Warren J. Beckett wrote:
> > 	For example, if there are 2 established SSH connection, there is
> > no more connection accepted. Is it more a matter for a packet filter,
> > queueing or other (userspace daemon) ?
> > 
> > 	thanks
> Doesn't PF in -current support this feature, or have I miss read
> something?

here seems to be some confusion.

yes, -current pf can be abused for that. "keep state (max x)".

the intention is another one. as the total amount of states we can handle is
limited (by memory), this is a countermeasure against a single server
filling up your whole state table.
so, for example, you have a "set limit states 10000". You run a service that
is likely to be flooded with connections, say, IRC. you'd use a rule like

pass in on $extif proto tcp from any to $ircserver port $ircport \
    keep state (max 2000)

thus, in case of a flood, no more than 2000 state table entries would be
made for this rule, and other services are still reachable (well, at least
to the extend that's under pf's control.).