------- Original Message ------- On Tuesday, July 18th, 2023 at 10:59 PM, Stuart Henderson <stu.li...@spacehopper.org> wrote:
> PF's state-tracking options are only for TCP. (Blocking an IP > based on number of connections from easily spoofed UDP is a good > way to let third parties prevent your machine from communicating > with IPs that may well get in the way i.e. trigger a "self DoS"). What a pitty, these kind of rate limiting options for UDP would have been quite useful. > You may be interested in looking into L7 methods of mitigating > problems from high rates of DNS queries - for example dnsdist > allows a lot of flexibility in this area. Thanks for the hint about dnsdist, it looks powerful. Still whenever possible I would rather avoid having an extra piece of software and instead have that traffic controlled more upstream so ideally on the firewall directly.