From owner-freebsd-net@FreeBSD.ORG  Mon Jun  7 09:21:49 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3246F1065673
	for <freebsd-net@freebsd.org>; Mon,  7 Jun 2010 09:21:49 +0000 (UTC)
	(envelope-from pieter@os3.nl)
Received: from mail.thelostparadise.com (router.thelostparadise.com
	[IPv6:2a02:898:0:30::30:1])
	by mx1.freebsd.org (Postfix) with ESMTP id C74738FC19
	for <freebsd-net@freebsd.org>; Mon,  7 Jun 2010 09:21:48 +0000 (UTC)
Received: by mail.thelostparadise.com (Postfix, from userid 127)
	id 8205273054; Mon,  7 Jun 2010 11:21:47 +0200 (CEST)
Received: from localhost by mail.thelostparadise.com (Postfix) with ESMTP id
	C300E73008
	for <freebsd-net@freebsd.org>; Mon,  7 Jun 2010 11:21:46 +0200 (CEST)
Message-ID: <4C0CBA26.80209@os3.nl>
Date: Mon, 07 Jun 2010 11:21:42 +0200
From: Pieter de Boer <pieter@os3.nl>
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Connection rate limits with pf, blocks too soon?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 09:21:49 -0000

Hi list,

I have the following rule in my pf.conf:
pass in  quick on $ext_if inet proto tcp from any to $ext_addr port 80 
modulate state (source-track rule max-src-conn 128 max-src-conn-rate 
5000/600 overload <weblamers> flush global)

I thought this meant that an IP address is added to the `weblamers' 
table as soon as either:
- 128 simultaneous states are present for that IP in pf
- 5000 new states have been made for that IP in a 10 minute time frame

However, when I run a scanner against this web server, the source IP is 
blocked after a few seconds and only a few tens of requests. Using 
'pfctl -s state' I confirmed that only 65 simultaneous states were 
present, much lower than the limit.

The question is: is pf actually using a time frame of 10 minutes here? I 
guess it may be averaging over a much smaller amount of time instead. 
For instance, 5000/600 is averaged over 1 second as 8.3 states?

Thanks,
Pieter