On 8/17/05, Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > On Wed, Aug 17, 2005 at 01:42:52PM +0800, Kent Ho wrote: > > Is there a way to throttle the number of connections from a CIDR block? > > > > e.g. Allow only 20 connections from the entire 192.168.2.0/24 subnet. . . . > Yes, it's possible with per-rule limits: restricting the number of > states one rule may create, like > > pass ... from 192.168.2.0/24 ... keep state (max 20)
Hey, that's a cool feature I hadn't noticed. Unfortunately, just like queueing, you have to know which specific networks your traffic is coming from in order to control the rate, whereas for a web server you probably want to limit sessions and bandwidth for any and all arbitrary /24 blocks. How well can pf optimize a ~10 million line policy? > The usual per-IP limiting options (source-track, max-src-nodes, > max-src-states, max-src-conn, and max-src-conn-rate) don't work per CIDR > block, however. Some applications include code to throttle the number of concurrent inbound connections from any CIDR block, this is a common request for SMTP listeners.
