Re: [pfSense] [pfSense Support] simultaneous client connection

Sun, 13 Nov 2011 17:46:44 -0800

Jan, the rate limit rules are now set to add offenders to the virusprot table, which blocks all traffic from the listed addresses. So the rate limiting rules cannot be used to rate limit, only to block IP's that trigger the limit. It's a design decision that I hope is reconsidered in the future, or at least made optional per rule. Entries in the virusprot table that are 60 minutes old or older are cleared from the table once a minute.
Take a look at the /tmp/rules.debug file, you will see your rule is translated into something like this. 


pass  in log  quick  on $WAN reply-to ( rl0 11.22.33.44 )  proto tcp  
from any to 192.168.0.0/24 port 22  flags S/SA keep state ( 
max-src-conn-rate 1 /5, overload <virusprot> flush global  )  label 
"USER_RULE: Allow SSH with limit"


Josh

On 11/13/2011 9:30 AM, Jan wrote:

Hi guys,

On 11/18/2010 02:55 PM Javier Marcon Servilink Web Hosting wrote:

Hello, setting simultaneous client connection limit allows you to restrict
the number of parallel connections to a server per client IP address or
client address block? When the limit is reached, it filters all the new
connections from that ip or it blocks all connections from that ip, or it
blocks all connections that matches the rule?

I'd just like to get back at this. I'm running pfSense 2.0-RELEASE and at
the end of the rule set of the WAN interface I've placed the following rule
which is supposed to limit incoming connections to a maximum of 5
per second.


<rule>
         <id/>
         <type>pass</type>
         <interface>wan</interface>
         <tag/>
         <tagged/>
         <max/>
         <max-src-nodes/>
         <max-src-conn/>
         <max-src-states/>
         <statetimeout/>
         <statetype>keep state</statetype>
         <os/>
         <max-src-conn-rate>1</max-src-conn-rate>
         <max-src-conn-rates>5</max-src-conn-rates>
         <protocol>tcp</protocol>
         <source>
                 <any/>
         </source>
         <destination>
                 <any/>
                 <port>22</port>
         </destination>
         <descr><![CDATA[ssh inbound]]></descr>
</rule>


So opening a single connection to port 22 works just fine. But opening
additional ones are being dropped. Is this a desired behaviour on limiting
simultaneous connections or is it either a limitation?

Thx

- Jan





_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list






















					Reply via email to