From owner-freebsd-questions@FreeBSD.ORG Wed Feb 14 18:48:52 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 06EED16A401 for ; Wed, 14 Feb 2007 18:48:52 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id 8E0D913C48D for ; Wed, 14 Feb 2007 18:48:51 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so817149nfc for ; Wed, 14 Feb 2007 10:48:50 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cGI3GlsTE37yrlYKmwt447nfP5UNYky5ePU9d9FgB7o3Nllb8lmcmYhcRaJSSIO/YPZwPZRPSIMpYBE1oIUDA3tbt5EAGbQLr3XGCCjzJK79hn9zryU59Y3RNGm3ASRG7nvIaraV+TxUfiKZ/ghQnGjUE6dU+Td7RBAcrWIvRrA= Received: by 10.82.188.15 with SMTP id l15mr1291962buf.1171478930158; Wed, 14 Feb 2007 10:48:50 -0800 (PST) Received: by 10.82.135.17 with HTTP; Wed, 14 Feb 2007 10:48:49 -0800 (PST) Message-ID: <3aaaa3a0702141048p5f270126tc1f00059a7dfe4a4@mail.gmail.com> Date: Wed, 14 Feb 2007 18:48:49 +0000 From: Chris To: "Peter N. M. Hansteen" In-Reply-To: <877iusuczk.fsf@thingy.datadok.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <45C99336.3010508@demax.sk> <877iusuczk.fsf@thingy.datadok.no> Cc: freebsd-questions@freebsd.org Subject: Re: Packet rate limiter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 18:48:52 -0000 On 08/02/07, Peter N. M. Hansteen wrote: > Jan Sebosik writes: > > > is there any way how to limit packet per second [PPS] rate to specified > > IP (group of IP) ? > > The closest I can think of off the top of my head is defining a PF > rule set with queues (ALTQ), however you will be specifying bandwidth, > that is in bits per second (or k,M,G multiples of) of percentage of > available bandwidth, not number of packets. Your groups of source > addresses could be maintained as tables for easy manipulation. > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > _______________________________________________ I thought PF could do this now as I have seen PF rulesets used to limit syn flooding via pps rules. If not it would be good if PF or ipfw got this feature as linux has had it for a while now and it is a lot more effective then limiting per bps.