Connection rate limits with pf, blocks too soon?
Pieter de Boer
pieter at os3.nl
Mon Jun 7 09:21:49 UTC 2010
Hi list,
I have the following rule in my pf.conf:
pass in quick on $ext_if inet proto tcp from any to $ext_addr port 80
modulate state (source-track rule max-src-conn 128 max-src-conn-rate
5000/600 overload <weblamers> flush global)
I thought this meant that an IP address is added to the `weblamers'
table as soon as either:
- 128 simultaneous states are present for that IP in pf
- 5000 new states have been made for that IP in a 10 minute time frame
However, when I run a scanner against this web server, the source IP is
blocked after a few seconds and only a few tens of requests. Using
'pfctl -s state' I confirmed that only 65 simultaneous states were
present, much lower than the limit.
The question is: is pf actually using a time frame of 10 minutes here? I
guess it may be averaging over a much smaller amount of time instead.
For instance, 5000/600 is averaged over 1 second as 8.3 states?
Thanks,
Pieter
More information about the freebsd-net
mailing list