Date: Tue, 25 Oct 2016 15:57:39 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: "Simon" <simon@optinet.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: PF - Treating Multiple Virtual IPs as one Message-ID: <20161025155739.2d796465@mr185083>
next in thread | raw e-mail | index | archive | help
Le Mon, 24 Oct 2016 11:42:54 -0400, "Simon" <simon@optinet.com> a écrit : > I am trying to rate limit/control access to a port across multiple > virtual IPs or aliases using max-src-conn and max-src-conn-rate. > Problem arises when attacker floods connections to the same port > across many IPs listening on the same port. Is it possible to tell PF > to treat connections to the same port across multiple IPs assigned to > the same NIC in the instances of max-src-conn-rate ? In other words, > I want connections made to port XX on x.x.x.1, x.x.x.2, etc... count > toward the same counter using max-src-conn-rate and max-src-conn. By > default, each IP tracks own counter and this defeats the purpose of > my rate limiting for a port. Couldn't find this in the manual. I'm not sure but, when matched, the source track rule is associated to a state, if several destinations are involved you have different states. So I think you can't group the count for several destinations IP. > Not sure if I'll have better luck with freebsd-ISP on this. Didn't > want to cross post just yet. there is freebsd-pf for questions about PF. Regards,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161025155739.2d796465>