From owner-freebsd-stable@FreeBSD.ORG  Fri Feb 17 02:09:42 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3DA4716A420
	for <freebsd-stable@freebsd.org>; Fri, 17 Feb 2006 02:09:42 +0000 (GMT)
	(envelope-from atanas@asd.aplus.net)
Received: from pro20.abac.com (pro20.abac.com [66.226.64.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B570243F92
	for <freebsd-stable@freebsd.org>; Fri, 17 Feb 2006 02:09:41 +0000 (GMT)
	(envelope-from atanas@asd.aplus.net)
Received: from [216.55.129.41] (asd0.aplus.net [216.55.129.41])
	(authenticated bits=0)
	by pro20.abac.com (8.13.4/8.13.4) with ESMTP id k1H29cRZ044401;
	Thu, 16 Feb 2006 18:09:38 -0800 (PST)
	(envelope-from atanas@asd.aplus.net)
Message-ID: <43F5322C.1090603@asd.aplus.net>
Date: Thu, 16 Feb 2006 18:17:16 -0800
From: Atanas <atanas@asd.aplus.net>
User-Agent: Thunderbird 1.5 (X11/20051201)
MIME-Version: 1.0
To: Niki Denev <nike_d@cytexbg.com>
References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com>	<20051227101621.GA16276@walton.maths.tcd.ie>	<86irrfoix5.fsf@xps.des.no>	<43F4E3B0.1090806@asd.aplus.net>
	<43F514BD.608@cytexbg.com>
In-Reply-To: <43F514BD.608@cytexbg.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 1.47 (SPF_SOFTFAIL)
Cc: freebsd-stable@freebsd.org
Subject: Re: SSH login takes very long time...sometimes
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2006 02:09:42 -0000

Niki Denev said the following on 02/16/06 16:11:
> 
> I solved this for me with the following pf(4) rule :
> 
> pass in quick on $ext inet proto tcp from any to any port ssh flags S/SA \
>   keep state (source-track rule, max-src-conn $max_conn_per_ip, max-src-conn-rate $max_conn_rate, \
>   overload <tempban-ssh> flush global)
> 
> with appropriate $max_conn_per_ip and $max_conn_rate limits,
> and "expiretable" in a cronjob to flush all entries in the <tempban-ssh> table which
> are older than predefined period.
> 
> I hope this helps.
> 
Thanks for the tip! I knew that at some point I will have to switch to 
pf, but unfortunately it wasn't available in FreeBSD-4.x, and I still 
have plenty of such boxes.

Does anybody know whether ipfw (or something else within FreeBSD-4) is 
capable of setting connection rate limits?

Regards,
Atanas