From owner-freebsd-questions@FreeBSD.ORG Thu Mar 1 11:08:29 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 64D8E16A401 for ; Thu, 1 Mar 2007 11:08:29 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 0003513C4A5 for ; Thu, 1 Mar 2007 11:08:28 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so316610ugh for ; Thu, 01 Mar 2007 03:08:27 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gWzsSLE2KN8WfMo/wB8vyHQEbznWxmLHa454yJvJJJ1AJFaMT/BY4FuO/LSzt35BCRHY0uBTT5FbAAcBnbX8Z/RrqgFUHjWGNLtMz2HanNBekPXoCfoZVUAxA+k+fE2MUiXHG3edI5Zqoxdjwad4LK3EYBjL+kiGqzEm3ilSwRQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=aMFMbGt3tn0pwNT8wKnf0jAdegWNNplx1hJZCQgODYKyhp9Vzz/Y9UgRd6lu50Mut2n8CGvy9kJjWGVfqsK7mTPEDiqGuFax+CKJ9Nk3c2nkiI6q8WJc/6hXcTZUU11ZjyQXbzo+7ZyBQ/KJv3j8sc0iBiC7L55X5+IYX25jud4= Received: by 10.82.172.15 with SMTP id u15mr525190bue.1172747307438; Thu, 01 Mar 2007 03:08:27 -0800 (PST) Received: by 10.82.135.17 with HTTP; Thu, 1 Mar 2007 03:08:27 -0800 (PST) Message-ID: <3aaaa3a0703010308t1fad983em2707001dc5ec3593@mail.gmail.com> Date: Thu, 1 Mar 2007 11:08:27 +0000 From: Chris To: "chrishome@austin.rr.com" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <45C99336.3010508@demax.sk> Cc: freebsd-net@freebsd.org, Jan Sebosik , freebsd-questions@freebsd.org Subject: Re: Packet rate limiter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2007 11:08:29 -0000 On 17/02/07, chrishome@austin.rr.com wrote: > > Hi > > > > is there any way how to limit packet per second [PPS] rate to > > specified > > IP (group of IP) ? Linux can achieve this via IPtables. > > I`ve searched a lot of web, but nothing interesting found (for PF, > > IPFilter, and IPFW). > > > > I agree this would be a very nice addition to IPFW as a basic feature, > or maybe a more advanced version via Dummynet. It's much to easy for a > trojan / virus or intentionally malicious user to flood a FreeBSD box > setup as a router with loads of tiny UDP packets on port 80. In fact, > just a few days ago we had 2 users behind one of our FreeBSD gateways > sending huge loads of traffic to a webhosting site.. This packet count > shown below was all within a 12 hour period ;) > > 00010 990465375 39618916491 deny ip from 172.17.106.114 to any > 00010 20010976 800449444 deny ip from 172.17.105.114 to any > > > Being able to put limits per protocol would be a wonderful addition. > For now what we do is setup a count rule by MAC address for every user, > we check the count rules every 60 seconds, if we begin to see packets > per second for a certain host climb above for example 4000PPS, we simply > automatically add a deny rule. These are generally users set for 1 or 2 > Mbps each, so 4000PPS is pretty extreme for that kind of bandwidth > unless your doing something you shouldn't. > > I've been talking to a few friends about possibly adding this to ipfw or > dummynet, and if I ever get around to a completed working version, I > would be more than happy to share, but for now, there are ways to still > fix the problem, just not as elegant as if it where actually a firewall > rule ;) > > Chris Bowman > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > Whats the rule that counts per src address? thanks Chris