PF - Treating Multiple Virtual IPs as one
Patrick Lamaiziere
patfbsd at davenulle.org
Tue Oct 25 13:57:57 UTC 2016
Le Mon, 24 Oct 2016 11:42:54 -0400,
"Simon" <simon at optinet.com> a écrit :
> I am trying to rate limit/control access to a port across multiple
> virtual IPs or aliases using max-src-conn and max-src-conn-rate.
> Problem arises when attacker floods connections to the same port
> across many IPs listening on the same port. Is it possible to tell PF
> to treat connections to the same port across multiple IPs assigned to
> the same NIC in the instances of max-src-conn-rate ? In other words,
> I want connections made to port XX on x.x.x.1, x.x.x.2, etc... count
> toward the same counter using max-src-conn-rate and max-src-conn. By
> default, each IP tracks own counter and this defeats the purpose of
> my rate limiting for a port. Couldn't find this in the manual.
I'm not sure but, when matched, the source track rule is associated to a
state, if several destinations are involved you have different states.
So I think you can't group the count for several destinations IP.
> Not sure if I'll have better luck with freebsd-ISP on this. Didn't
> want to cross post just yet.
there is freebsd-pf for questions about PF.
Regards,
More information about the freebsd-questions
mailing list