On Wed, 17 Oct 2018 17:59:08 +0200, cont...@jdubois.me wrote: > I am trying to rate limit UDP with Packet Filter. I know there are > rules to rate limit on TCP such as "max number" or "max-src-conn-rate > number / interval" but I did not find anything for UDP. > > I still tried the options with these rules, but once the number of > states was reached, the NTP server kept answering the requests : > > pass in on $ext_if proto udp to 192.0.2.1 port 123 keep state (max 10)
I think the closest to your goal is max-pkt-rate, see: https://man.openbsd.org/pf.conf.5#max-pkt-rate Note it won't block the IP like it does for TCP, the rule simply stops matching packets. This parameter was added to OpenBSD recently, but if you run a supported OpenBSD version, it should be fine ;) Cheers, Daniel
