DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th January 2018
bryn1u bryn1u is offline
Port Guard
 
Join Date: May 2009
Posts: 19
Default PF - connection limit per ip

Hello guys,

Im reading about connection restricion per ip source.
Code:
stossh   ="(max 100,   source-track rule, max-src-conn 10,  max-src-conn-rate  5/200, overload <bruteforce> flush global)"
Am i translating well ? If not please correct me. Max 100 connection from all. Max 10 established connection per ip ? Max 5 connections per ip in 200 sec ?
And using it for:
Code:
pass in on $ext_if proto tcp from any to any port { 22 }   $stossh
But what about udp ? For example voice server connection. I want to limit connection on port 64738 (Mumble server)
Can i do something like example above ?
Code:
stovoice = "(max 100,   source-track rule, max-src-conn 10,  max-src-conn-rate  5/200, overload <bruteforce> flush global)"
And use it for:
Code:
pass in on $ext_if proto udp from any to any port { 64738 } $stovoice
If i good understand - mac-src-conn it's only for source ip but established. What about udp ? I just want to only limit connection per ip for example 5 ips.
Thank you.
Reply With Quote
  #2   (View Single Post)  
Old 12th May 2020
dekloper dekloper is offline
Real Name: dekloper
New User
 
Join Date: May 2020
Posts: 7
Default

Quote:
Originally Posted by bryn1u View Post
If i good understand - mac-src-conn it's only for source ip but established. What about udp ?
There are no problems with the udp protocol.
You can set restrictions with one line for two protocols (tcp and udp) at the same time, and the S/SA keep state flags are automatically set for tcp proto, and the keep state are used by udp.

Code:
table <bruteforce> persist
restrict="(max 100, source-track rule, max-src-conn 10, max-src-conn-rate  5/200, overload <bruteforce> flush global)"
pass in on $ext_if proto { tcp udp } from any to ($ext_if) port { domain } flags S/SA keep state $restrict
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Memory limit jaax NetBSD General 2 19th February 2011 11:21 AM
Bandwidth limit per IP PatrickBaer OpenBSD General 13 22nd February 2010 07:38 PM
Working dial-up connection - No Client Connection vigol FreeBSD General 5 22nd November 2009 10:59 PM
Limit Bandwidth (not throughput) plexter OpenBSD Security 5 9th October 2008 05:10 PM
pop3d: Maximum connection limit reached for ... kheled FreeBSD General 1 25th June 2008 05:16 PM


All times are GMT. The time now is 05:33 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick