Toomas Aas wrote: > Hello! > > I have an internal network behind a gateway running ipfilter/ipnat. Is > it possible to limit the number of simultaneous outgoing connections > per internal client? For example, if some client runs something like > eMule or bittorrent it creates a lot of outgoing connections which are > passed by a 'keep state' filter rule, and I'm afraid it fills up the > state table.
You can define a limit per-rule, like this: pass in proto tcp from any to any port 6881:6889 flags S keep state (limit 10) pass out proto tcp from any to any port 6881:6889 flags S keep state (limit 10) To limit inbound and outbound bittorrent connections to 10 each. You can also over commit with rules, so that if your state table had a max size of 100 but you had a rule like this: pass in proto tcp from any to any port 6881:6889 flags S keep state pass in proto tcp from any to any port = ssh flags S keep state (limit 10) Will *always allow* upto 10 ssh connections, even if there are 100 bittorrent connections. Darren
