From owner-freebsd-pf@freebsd.org  Fri Jan 13 02:06:35 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C46A5CADA4F
 for <freebsd-pf@mailman.ysv.freebsd.org>; Fri, 13 Jan 2017 02:06:35 +0000 (UTC)
 (envelope-from simon@optinet.com)
Received: from cobra.acceleratedweb.net (cobra-gw.acceleratedweb.net
 [207.99.79.37]) by mx1.freebsd.org (Postfix) with SMTP id 5CEB713C8
 for <freebsd-pf@freebsd.org>; Fri, 13 Jan 2017 02:06:34 +0000 (UTC)
 (envelope-from simon@optinet.com)
Received: (qmail 39417 invoked by uid 110); 13 Jan 2017 01:59:52 -0000
Received: from ool-43549c41.dyn.optonline.net (HELO desktop1)
 (simon@optinet.com@67.84.156.65)
 by cobra.acceleratedweb.net with SMTP; 13 Jan 2017 01:59:52 -0000
From: "Simon" <simon@optinet.com>
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Date: Thu, 12 Jan 2017 20:59:53 -0500
Priority: Normal
X-Mailer: PMMail 2000 Professional (2.20.2717) For Windows 2000 (5.1.2600;3)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Treating Multiple Virtual IPs as one 
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2017 02:06:35 -0000

Hello,

I am trying to rate limit/control access to a port across multiple virtual IPs or aliases
using max-src-conn and max-src-conn-rate. Problem arises when attacker floods
connections to the same port across many IPs listening on the same port. Is it
possible to tell PF to treat connections to the same port across multiple IPs
assigned to the same NIC in the instances of max-src-conn-rate ? In other words,
I want connections made to port XX on x.x.x.1, x.x.x.2, etc... count toward the
same counter using max-src-conn-rate and max-src-conn. By default, each IP
tracks own counter and this defeats the purpose of my rate limiting for a port.
Couldn't find this in the manual. Hard to imagine this is a very unique setup.

Thanks,
Simon