On 2023-07-19, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> wrote:
> On 18/07/2023 23:59, Stuart Henderson wrote:
>> PF's state-tracking options are only for TCP. (Blocking an IP
>> based on number of connections from easily spoofed UDP is a good
>> way to let third parties prevent your machine from communicating
>> with IPs that may well get in the way i.e. trigger a "self DoS").
>> You may be interested in looking into L7 methods of mitigating
>> problems from high rates of DNS queries - for example dnsdist
>> allows a lot of flexibility in this area.
> dnsdist looks interesting.
> Can it run on top of carp interfaces?

Don't think I tried it, but I don't see why not.

> Maybe even better, can it run under relayd (redirect) on top of carp?

That's just rdr-to behind the scenes, no problem with that, though if
you want to do per IP rate limiting alongside load-balancing you might
want "mode source-hash" rather than the default round-robin or one of
the random options.

(I wouldn't recommend sticky-address, because then you get into more
complex paths inside PF because it has to maintain source-tracking

Reply via email to