Date: Mon, 07 Jun 2010 11:21:42 +0200 From: Pieter de Boer <pieter@os3.nl> To: freebsd-net@freebsd.org Subject: Connection rate limits with pf, blocks too soon? Message-ID: <4C0CBA26.80209@os3.nl>
next in thread | raw e-mail | index | archive | help
Hi list, I have the following rule in my pf.conf: pass in quick on $ext_if inet proto tcp from any to $ext_addr port 80 modulate state (source-track rule max-src-conn 128 max-src-conn-rate 5000/600 overload <weblamers> flush global) I thought this meant that an IP address is added to the `weblamers' table as soon as either: - 128 simultaneous states are present for that IP in pf - 5000 new states have been made for that IP in a 10 minute time frame However, when I run a scanner against this web server, the source IP is blocked after a few seconds and only a few tens of requests. Using 'pfctl -s state' I confirmed that only 65 simultaneous states were present, much lower than the limit. The question is: is pf actually using a time frame of 10 minutes here? I guess it may be averaging over a much smaller amount of time instead. For instance, 5000/600 is averaged over 1 second as 8.3 states? Thanks, Pieter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C0CBA26.80209>