On Mon, May 31, 2004 at 02:39:50AM +0200, Ed White wrote: > Playing with custom pf.conf I've understood that "source-track rule" and > "source-track global" permit to manage in a different way all the src IP > states, however I'd like to receive some confirms. > > 1) pass in quick inet proto tcp to port 25 keep state \ > (source-track rule, max-src-nodes 100, max-src-states 2) > > This means that a max number of 100 IPs could connect and that each of them > could have a max number of 2 active connections to this port. Right ?
Yes. > 2) set limit src-nodes 3000 > pass in quick inet proto tcp to port 80 keep state \ > (source-track global, max-src-states 5) > pass in quick inet proto tcp to port 443 keep state \ > (source-track global, max-src-states 2) > > This means that a max number of 3000 IPs could connect and that each one of > them could have a max number of 5 active connections to port 80 and a max > number of 2 active connections to port 443. Right ? Yes.
