On 2023-07-19, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> wrote: > On 18/07/2023 23:59, Stuart Henderson wrote: >> PF's state-tracking options are only for TCP. (Blocking an IP >> based on number of connections from easily spoofed UDP is a good >> way to let third parties prevent your machine from communicating >> with IPs that may well get in the way i.e. trigger a "self DoS"). >> >> You may be interested in looking into L7 methods of mitigating >> problems from high rates of DNS queries - for example dnsdist >> allows a lot of flexibility in this area. > > > dnsdist looks interesting. > > Can it run on top of carp interfaces?
Don't think I tried it, but I don't see why not. > Maybe even better, can it run under relayd (redirect) on top of carp? That's just rdr-to behind the scenes, no problem with that, though if you want to do per IP rate limiting alongside load-balancing you might want "mode source-hash" rather than the default round-robin or one of the random options. (I wouldn't recommend sticky-address, because then you get into more complex paths inside PF because it has to maintain source-tracking information).
