Hi Daniel, Many thanks for you help. I'll work with per-rule method for the moment.
I have a group of IPs & CDIR which I want to restrict connections from each entry. For example I might have: 192.168.5.5 192.168.2.0/24 192.168.3.56 192.168.8.0/22 Put all these in a <table> and do something like: pass ... from <table> to any port 25 flags S/SA keep state (per-entry-track rule, max 10) So each entry in the table are limited to 10 connections from IP(s) or CDIR(s). Helps keeping the rule sets small and save writing/scripting the individual per-rule entries. Also handy when I want to apply bandwidth queueing on it as well. Not sure if this is doable though. thx Kent. > Yes, it's possible with per-rule limits: restricting the number of > states one rule may create, like > > pass ... from 192.168.2.0/24 ... keep state (max 20) > > As soon as this rule tries to create more than 20 concurrent state > entries, further connections are dropped. > > The tricky part is to make sure ALL connections from that block use this > rule as last matching rule. For instance, if you have multiple rules for > that block, like > > pass ... from 192.168.2.0/24 to any port 25 keep state (max 20) > pass ... from 192.168.2.0/24 to any port 80 keep state (max 20) > > the limits are not linked, i.e. there may be 20 connections to port 25 > as well as 20 connections to port 80 (for a total of 40 connections). > > You can use tags to funnel multiple matching rules through one last > matching rule (with a single limit there), like > > pass ... from 192.168.2.0/24 to any port 25 tag limited > pass ... from 192.168.2.0/24 to any port 80 tag limited > pass ... tagged limited keep state (max 20) > > The usual per-IP limiting options (source-track, max-src-nodes, > max-src-states, max-src-conn, and max-src-conn-rate) don't work per CIDR > block, however. > > Daniel -- _______________________________________________ Graffiti.net free e-mail @ www.graffiti.net Check out our value-added Premium features, such as a 1 GB mailbox for just US$9.95 per year! Powered By Outblaze
