Date: Wed, 13 Feb 2008 10:14:52 -0800 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: patrick <gibblertron@gmail.com> Cc: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: Limit # of connections per IP using ipfw? Message-ID: <20080213181452.GU3587@hal.rescomp.berkeley.edu> In-Reply-To: <b043a4850802130923y2c5eca45y234e6cabbf416739@mail.gmail.com> References: <b043a4850802130923y2c5eca45y234e6cabbf416739@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--m5R8f+g8StfRwQ/I Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 13, 2008 at 09:23:31AM -0800, patrick wrote: > Is there a way to limit the number of TCP connections from a > particular IP at a given time using ipfw? We are running Cyrus IMAP on > FreeBSD 6.2, and are sometimes subject to POP3 brute force login > attacks. I'm not sure if it's Cyrus or the SASL SQL plugin, but these > attacks grind the server to halt (the load level goes up beyond 350!). > The database against which authentication takes places is on a > separate server, so I know it's not MySQL's fault. I'd like to be able > to set a firewall rule to set a reasonable limit per IP for these > sorts of connections. I know that pf can do it, and I'm in the process > of figuring out how to migrate all of our stuff over to pf, but in the > meantime, I'd like to try to do this with ipfw. You can use limit rules. This should do the trick: # ipfw add allow tcp from any to me pop3s limit src-addr 5 Check the ipfw man page section on limit for more info (though it's pretty brief). --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --m5R8f+g8StfRwQ/I Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBR7MznCPHEDszU3zYAQIV/hAAp+y4dOvEUzKQvuXtQaty0nduSjbQwh68 /IzVWlxaWTjE8i2mmhKyXJWvDuS1A2ZqMa41n9ZRhhl22c8IoXyw8NZofvo6mnAu b5sRg+XyzagDKotbriujMUlffGAY/j1uYWfQJsNmUyVohNy8qR4LwCpcC0lJ4wyd KULn+0M1XrFTPDL8vtS9HZc9RL883o9ElaB+CEGQNC79wdzCvzGnQp2BpuJ5UV78 PPOQ/kd0zTZ8ZwAPY0sLJvE7vLKXb6VpIeFiboZbxgfSpnANV43CfQTVHo320I1a 6XUNZUG//bA41q2K1J+pfbdyqAT0D2IVeUHWI5RrXwKsJU07pyCpRnJVGeIvgc/H 4MotznoC4Kk6CBlrFHqFIBM52GdZNH57mD//c3o2wZi5edfdusFiN01xb7EH8UEG jy3iuupc2igcxcK7HEzGDEKqwITX3mJmUkRQUyRPBPSKnsTbbFi6OpsXrgsdMKlV oefzMgk1uABBYeuBbz/kcro3f3oEnm3iYXBvl3spYphWLcG1j86dRGxCblWUhmWT fJ8cCRMvt1YiEGNJ89w7oGwFigegAaOk+QnbRq2JCPLVqFYg5SV425Weal0G3uPz hQDdyEojxTraljPDFC5UmVPodULZjAAFTEHNzMzsiZXIlqVOazUYzMpjscWlQU99 Z1AZSop/b2E= =RArF -----END PGP SIGNATURE----- --m5R8f+g8StfRwQ/I--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080213181452.GU3587>