DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 14th April 2010
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default PF and Stateful Tracking Options

I want use PF for firewall for webserver , our webserver is Apache
I read this link
http://www.openbsd.org/faq/pf/filter.html

but I can not understand this section
Code:
An example:

    table <abusive_hosts> persist
    block in quick from <abusive_hosts>

    pass in on $ext_if proto tcp to $web_server \
        port www flags S/SA keep state \
        (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush) 

This does the following:

    * Limits the maximum number of connections per source to 100
    * Rate limits the number of connections to 15 in a 5 second span
    * Puts the IP address of any host that breaks these limits into the <abusive_hosts> table
    * For any offending IP addresses, flush any states created by this rule.
So I understand this
For example if some user with this IP
192.168.0.52
connect to my web server , he or she can only open 15 pages in 5 second ,if he or she open new pages , pf block him.

and I understand this
user with 192.168.0.53 can not open than 15 pages or can not connect more than 15 connection in 5 second .

Am I right ?
Do I understand good this?,
with this rule I each IP can have 15 connection in 5 second .
please someone explain this section better for me
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
resetting make options? carpman FreeBSD Ports and Packages 1 27th March 2010 12:54 PM
Tracking OpenBSD snapshots with some simple sh scripts J65nko Guides 3 2nd December 2009 04:55 AM
How to get port's building options? Sunsawe FreeBSD Ports and Packages 14 9th May 2009 06:35 PM
portupgrade -af, how to submit fetch options? bsdfan FreeBSD Ports and Packages 4 28th December 2008 09:05 PM
Change Makefile options in ports shep FreeBSD Ports and Packages 5 18th August 2008 07:58 AM


All times are GMT. The time now is 11:12 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick