> Am 02.02.2016 um 22:28 schrieb Ugo Bellavance <[email protected]>: > > Hi, > > We are thinking about limiting the amount of connections that can be open per > IP address. We want to avoid getting hammered on a web service that is used > by some clients. We've discovered that they sometimes open just as many http > connections that they can to perform http queries. We will ask them to > change their application to limit the number of concurrent queries, but we're > looking for a way to limit the abusers on our side as well. We guess that we > can do that on the web server side, but I think that the pfSense may be of > help. > > In our situation, since they are mostly "legitimate" queries, I don't think > that there would be a difference between using the Maximum number of > established connections or Maximum number of state entries. > > I have two questions: > > I think that when an IP address hits the limit, the packets are dropped by > the default rule, right? > > I did some testing and it looks like the tcp connection is not really closed > as soon as the http query is complete, so even if an application sends us > queries in a serial mode (one http query at the time), many queries would get > blocked if I set the Maximum number of established connections per host to 1. > My goal is not to set that to 1 but I just want to illustrate the fact that > if I tell the client to limit the # of concurrent http query to 100, for > example, I can't simply set the parameter to 100. According to my tests, 50 > threads can get the connection count to around 4 000.
They can use HTTP-pipelining: https://en.wikipedia.org/wiki/HTTP_pipelining So, limiting at the firewall-level is pretty much pointless for somebody who wants to abuse a service. You’ve already asked them to stop doing this. Maybe put nginx in front of the web service and use limit_conn and limit_req directives? Rainer _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
