From owner-freebsd-questions@FreeBSD.ORG Wed Feb 13 18:14:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23B9316A419 for ; Wed, 13 Feb 2008 18:14:58 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 1509013C4CE for ; Wed, 13 Feb 2008 18:14:58 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id 86C683C0463; Wed, 13 Feb 2008 10:14:52 -0800 (PST) Date: Wed, 13 Feb 2008 10:14:52 -0800 From: Christopher Cowart To: patrick Message-ID: <20080213181452.GU3587@hal.rescomp.berkeley.edu> Mail-Followup-To: patrick , FreeBSD Questions Mailing List References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="m5R8f+g8StfRwQ/I" Content-Disposition: inline In-Reply-To: Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: FreeBSD Questions Mailing List Subject: Re: Limit # of connections per IP using ipfw? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2008 18:14:58 -0000 --m5R8f+g8StfRwQ/I Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 13, 2008 at 09:23:31AM -0800, patrick wrote: > Is there a way to limit the number of TCP connections from a > particular IP at a given time using ipfw? We are running Cyrus IMAP on > FreeBSD 6.2, and are sometimes subject to POP3 brute force login > attacks. I'm not sure if it's Cyrus or the SASL SQL plugin, but these > attacks grind the server to halt (the load level goes up beyond 350!). > The database against which authentication takes places is on a > separate server, so I know it's not MySQL's fault. I'd like to be able > to set a firewall rule to set a reasonable limit per IP for these > sorts of connections. I know that pf can do it, and I'm in the process > of figuring out how to migrate all of our stuff over to pf, but in the > meantime, I'd like to try to do this with ipfw. You can use limit rules. This should do the trick: # ipfw add allow tcp from any to me pop3s limit src-addr 5 Check the ipfw man page section on limit for more info (though it's pretty brief). --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --m5R8f+g8StfRwQ/I Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBR7MznCPHEDszU3zYAQIV/hAAp+y4dOvEUzKQvuXtQaty0nduSjbQwh68 /IzVWlxaWTjE8i2mmhKyXJWvDuS1A2ZqMa41n9ZRhhl22c8IoXyw8NZofvo6mnAu b5sRg+XyzagDKotbriujMUlffGAY/j1uYWfQJsNmUyVohNy8qR4LwCpcC0lJ4wyd KULn+0M1XrFTPDL8vtS9HZc9RL883o9ElaB+CEGQNC79wdzCvzGnQp2BpuJ5UV78 PPOQ/kd0zTZ8ZwAPY0sLJvE7vLKXb6VpIeFiboZbxgfSpnANV43CfQTVHo320I1a 6XUNZUG//bA41q2K1J+pfbdyqAT0D2IVeUHWI5RrXwKsJU07pyCpRnJVGeIvgc/H 4MotznoC4Kk6CBlrFHqFIBM52GdZNH57mD//c3o2wZi5edfdusFiN01xb7EH8UEG jy3iuupc2igcxcK7HEzGDEKqwITX3mJmUkRQUyRPBPSKnsTbbFi6OpsXrgsdMKlV oefzMgk1uABBYeuBbz/kcro3f3oEnm3iYXBvl3spYphWLcG1j86dRGxCblWUhmWT fJ8cCRMvt1YiEGNJ89w7oGwFigegAaOk+QnbRq2JCPLVqFYg5SV425Weal0G3uPz hQDdyEojxTraljPDFC5UmVPodULZjAAFTEHNzMzsiZXIlqVOazUYzMpjscWlQU99 Z1AZSop/b2E= =RArF -----END PGP SIGNATURE----- --m5R8f+g8StfRwQ/I--