ipfw limit option is easy be DoS. for example: ipfw add tcp from any to 80 limit 1000 it limit 1000 connections from any. but attacker can generate tcp spoofing packet to make the rule limit counter exceed 1000. therefore, for pf. it is also possible can be DoS if you limit the states that are created from some rule. of course, if you don't limit the state, the DoS also possible. therefore, my suggestion is limit the state according by protocol. for icmp, limit the state created by icmp protocol to 1000 states. (it is not possible lot of ICMP packet session in normal environment.) for udp, limit to 5000 states or less according to your service. if you don't provide any UDP service. 5000 is enough for outgoing DNS packet. for tcp, limit to a high value according to your memory capacity. but the limit implementation has a little bit different. limit counter increased by one only after the state become ESTABLISHED and decreased by one only after the state expired.
----- Original Message ----- From: "Niki Denev" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 14, 2003 6:48 PM Subject: source limit > Currently with the option to limit the states that are created from some > rule, > i can limit the total connections to some machine/service. > But it would be very nice if it is possible to limit the connections from a > single ip (i mean not > specific ip, but from 'any'), much like the effect that can be acheived with > ipfw on fbsd with > 'limit src-addr'. > Something like counting not only the states created by given rule number, > but the rules created by given ip address and rule number. > What do you think? > > -- > Cheers, > Niki >
