From owner-freebsd-questions@FreeBSD.ORG Sat Feb 17 19:40:40 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C2A5216A402; Sat, 17 Feb 2007 19:40:40 +0000 (UTC) (envelope-from chrishome@austin.rr.com) Received: from ms-smtp-01.texas.rr.com (ms-smtp-01.texas.rr.com [24.93.47.40]) by mx1.freebsd.org (Postfix) with ESMTP id 42FFA13C49D; Sat, 17 Feb 2007 19:40:39 +0000 (UTC) (envelope-from chrishome@austin.rr.com) Received: from ms-mss-01 (ms-mss-01-smtp.texas.rr.com [10.93.38.14]) by ms-smtp-01.texas.rr.com (8.13.6/8.13.6) with ESMTP id l1HJ1I5Q012501; Sat, 17 Feb 2007 13:01:18 -0600 (CST) Received: from texas.rr.com (localhost [127.0.0.1]) by ms-mss-01.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0JDM0085PFI612@ms-mss-01.texas.rr.com>; Sat, 17 Feb 2007 13:01:18 -0600 (CST) Received: from [10.93.36.25] (Forwarded-For: [24.28.0.133]) by ms-mss-01.texas.rr.com (mshttpd); Sat, 17 Feb 2007 13:01:18 -0600 Date: Sat, 17 Feb 2007 13:01:18 -0600 From: chrishome@austin.rr.com In-reply-to: <45C99336.3010508@demax.sk> To: Jan Sebosik Message-id: MIME-version: 1.0 X-Mailer: iPlanet Messenger Express 5.2 HotFix 2.10 (built Dec 26 2005) Content-type: text/plain; charset=us-ascii Content-language: en Content-transfer-encoding: 7BIT Content-disposition: inline X-Accept-Language: en Priority: normal References: <45C99336.3010508@demax.sk> X-Virus-Scanned: Symantec AntiVirus Scan Engine Cc: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Packet rate limiter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Feb 2007 19:40:40 -0000 > Hi > > is there any way how to limit packet per second [PPS] rate to > specified > IP (group of IP) ? Linux can achieve this via IPtables. > I`ve searched a lot of web, but nothing interesting found (for PF, > IPFilter, and IPFW). > I agree this would be a very nice addition to IPFW as a basic feature, or maybe a more advanced version via Dummynet. It's much to easy for a trojan / virus or intentionally malicious user to flood a FreeBSD box setup as a router with loads of tiny UDP packets on port 80. In fact, just a few days ago we had 2 users behind one of our FreeBSD gateways sending huge loads of traffic to a webhosting site.. This packet count shown below was all within a 12 hour period ;) 00010 990465375 39618916491 deny ip from 172.17.106.114 to any 00010 20010976 800449444 deny ip from 172.17.105.114 to any Being able to put limits per protocol would be a wonderful addition. For now what we do is setup a count rule by MAC address for every user, we check the count rules every 60 seconds, if we begin to see packets per second for a certain host climb above for example 4000PPS, we simply automatically add a deny rule. These are generally users set for 1 or 2 Mbps each, so 4000PPS is pretty extreme for that kind of bandwidth unless your doing something you shouldn't. I've been talking to a few friends about possibly adding this to ipfw or dummynet, and if I ever get around to a completed working version, I would be more than happy to share, but for now, there are ways to still fix the problem, just not as elegant as if it where actually a firewall rule ;) Chris Bowman