You're asking to do it for a specific URL. URL's are an application layer concept. If you wanted to handle it at the TCP handshake, then you'd use state management rules to prevent handshakes that exceed the limit. But TCP states have no concept of 'URL's, so you can only do 'all', or 'nothing'. HTTP keepalive will also wreak havoc on this sort of plan, since it maintains a single connection for multiple HTTP requests.
Nathan Eisenberg From: [email protected] [mailto:[email protected]] On Behalf Of S Ahmed Sent: Monday, January 23, 2012 11:44 AM To: pfSense support and discussion Subject: Re: [pfSense] rate limiting Excuse my newbieness, but why couldn't this be done at layer4 in the tcp hand shake? On Mon, Jan 23, 2012 at 2:27 PM, Nathan Eisenberg <[email protected]<mailto:[email protected]>> wrote: Not at an HTTP layer. You could limit the maximum state entries per host to 100, and set the state timeout to 60, but then all connections (to any file) will be limited in that way. This kind of rule belongs either at an HTTP proxy layer (if you were to frontend your website with haproxy or ngnix) or in the application itself. Nathan Eisenberg Atlas Networks | Sr. Systems Administrator office: 206.577.3078<tel:206.577.3078> | www.atlasnetworks.us<http://www.atlasnetworks.us/> [Description: Description: Description: Description: FaceBook-icon]<http://www.facebook.com/AtlasNetworks> [Description: Description: Description: Description: Twitter-icon] <http://twitter.com/atlasnetworks> From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of S Ahmed Sent: Monday, January 23, 2012 11:20 AM To: [email protected]<mailto:[email protected]> Subject: [pfSense] rate limiting Does pfsense support rate limit for the given scenerio: Clients use a API that sends http post requests to my server at a specific url like: www.example.com/some_service/a/b<http://www.example.com/some_service/a/b> I want to limit the # of requests per minute to 100. If there are more than 100 requests in a given minute, I want to hard block all further requests. I don't know client i.p addresses before hand. Also if this is possible, could I also set different rate limits if I knew the clients ipaddress/server host? _______________________________________________ List mailing list [email protected]<mailto:[email protected]> http://lists.pfsense.org/mailman/listinfo/list
<<inline: image001.png>>
<<inline: image002.png>>
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
