Thanks guys! I had to disable it as soon as I found out so the relevant logs are probably too far up the buffer, but I'll set up a test server ASAP and study the tcpdump in detail.
> Somehow your mobiles hit either the fifteen new connections per five > seconds max (that's only three new connections per second) or the 100 > simultaneous connections. Impossible to say which one without studying > the actual session data via tcpdump. Unless the back end is too brittle, > consider loosening the rate limiting or discarding it altogether. > > You could try temporarily removing either the max-src-conn or the > max-src-conn-rate setting to see which one trips up the mobiles. Basically it's a social network geared towards teens, who tend to use mobile for everything. I'm guessing properly designed spam bots would go slow and at random intervals, so I'm not so sure how effective bruteforce for httpd would actually be? > Do you want to block >15/5 clients? I'm not so sure anymore. > Possibly relevant question: do all clients receive the same content, or > is there a separate version you serve to mobile clients? Currently it's all the same content. I'm planning to use Nginx to redirect to a dedicated mobile site later on though. Thank you! Mikkel 2013/2/6 Peter N. M. Hansteen <pe...@bsdly.net> > Mikkel Bang <facebookman...@gmail.com> writes: > > > Turns out this (http://home.nuug.no/~peter/pf/en/long-firewall.html) > bans > > any IP connecting from mobile devices: > > Well, that document says a lot of other stuff too, so please be more > specific. > > > pass in on $ext_if inet proto tcp from any to any port 80 keep state > > (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush > > global) > > > > Works fine when connecting from regular PCs though. Why is that? Do > mobile > > devices connect differently somehow? > > Somehow your mobiles hit either the fifteen new connections per five > seconds max (that's only three new connections per second) or the 100 > simultaneous connections. Impossible to say which one without studying > the actual session data via tcpdump. Unless the back end is too brittle, > consider loosening the rate limiting or discarding it altogether. > > You could try temporarily removing either the max-src-conn or the > max-src-conn-rate setting to see which one trips up the mobiles. > > Possibly relevant question: do all clients receive the same content, or > is there a separate version you serve to mobile clients? > > - P > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
