Hi all May be that can help, something like this :
pass in quick on $ext_if proto tcp from any to ($ext_if) port $tcp_services (max-src-conn 50, max-src-conn-rate 5/5, overload <scanners> flush global) I use it to black list ip that do to many ssh or other tcp services simultaneous connections, but in your case you can get the ip source and do something with it like limit the bandwidth with queueing. max-src-conn 50 : this is the number of simultaneous connections you allow from one host. max-src-conn 10/5 : the rate of new connections allowed from any single host here 10 connections per 5 seconds >From https://man.openbsd.org/pf.conf#max-pkt-rate *Queueing* <https://man.openbsd.org/OpenBSD-5.1/pf.conf.5#Queueing> Queueing provides rule-based bandwidth control. max-pkt-rate <https://man.openbsd.org/pf.conf#max-pkt-rate> number/seconds Measure the rate of packets matching the rule and states created by it. When the specified rate is exceeded, the rule stops matching. Only packets in the direction in which the state was created are considered, so that typically requests are counted and replies are not. For example, to pass up to 100 ICMP packets per 10 seconds: block in proto icmp pass in proto icmp max-pkt-rate 100/10 When the rate is exceeded, all ICMP is blocked until the rate falls below 100 per 10 seconds again.max-src-conn <https://man.openbsd.org/pf.conf#max-src-conn> number Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. max-src-conn-rate <https://man.openbsd.org/pf.conf#max-src-conn-rate> number/seconds Limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. Regards Philippe Le jeu. 6 août 2020 à 17:20, Jordan Geoghegan <[email protected]> a écrit : > > > On 2020-08-06 13:46, Alan McKay wrote: > > So I want to implement rate limiting, and to determine a reasonable > > rate based on current traffic patterns I'd like to be able to figure > > out which source IPs are generating the most connections and at what > > rate. > > > > Is there a way to do that? > > > > > > There is likely a better way to do it, but a quick and dirty method to > check for number of states for an IP address would be something like: > > $ doas pfctl -s state | grep -Fc "192.0.2.4" > > or if you wanted to check for the number of tcp or udp states specifically: > > $ doas pfctl -s state | grep "^all tcp" | grep -Fc "192.0.2.4" > > > Regards, > > Jordan > >
