> is there any way how to limit packet per second [PPS] rate to
> IP (group of IP) ? Linux can achieve this via IPtables.
> I`ve searched a lot of web, but nothing interesting found (for PF,
> IPFilter, and IPFW).
I agree this would be a very nice addition to IPFW as a basic feature,
or maybe a more advanced version via Dummynet. It's much to easy for a
trojan / virus or intentionally malicious user to flood a FreeBSD box
setup as a router with loads of tiny UDP packets on port 80. In fact,
just a few days ago we had 2 users behind one of our FreeBSD gateways
sending huge loads of traffic to a webhosting site.. This packet count
shown below was all within a 12 hour period ;)
00010 990465375 39618916491 deny ip from 172.17.106.114 to any
00010 20010976 800449444 deny ip from 172.17.105.114 to any
Being able to put limits per protocol would be a wonderful addition.
For now what we do is setup a count rule by MAC address for every user,
we check the count rules every 60 seconds, if we begin to see packets
per second for a certain host climb above for example 4000PPS, we simply
automatically add a deny rule. These are generally users set for 1 or 2
Mbps each, so 4000PPS is pretty extreme for that kind of bandwidth
unless your doing something you shouldn't.
I've been talking to a few friends about possibly adding this to ipfw or
dummynet, and if I ever get around to a completed working version, I
would be more than happy to share, but for now, there are ways to still
fix the problem, just not as elegant as if it where actually a firewall
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"