Hello, I'm trying to block access 'Google Search' from a specific host running PF after it has reached 17k requests in 24h. The threshold is below the one defined by google API.
To achieve I'd like to use PF. I came up with this rule: -- pass out on $net proto tcp from any to 'www.google.com' port www flags S/SA keep state (max-src-conn 200, max-src-conn-rate 17500/86400) -- However, PF knows that 'google' resolved in 5 IPs (load balancing, speed optimization, etc) so my 'pfctl -sr' shows: -- pass out on vte0 inet proto tcp from any to 173.194.44.81 port = http flags S/SA keep state (source-track rule, max-src-conn 200, max-src-conn-rate 17500/86400, src.track 86400) pass out on vte0 inet proto tcp from any to 173.194.44.82 port = http flags S/SA keep state (source-track rule, max-src-conn 200, max-src-conn-rate 17500/86400, src.track 86400) pass out on vte0 inet proto tcp from any to 173.194.44.83 port = http flags S/SA keep state (source-track rule, max-src-conn 200, max-src-conn-rate 17500/86400, src.track 86400) pass out on vte0 inet proto tcp from any to 173.194.44.80 port = http flags S/SA keep state (source-track rule, max-src-conn 200, max-src-conn-rate 17500/86400, src.track 86400) pass out on vte0 inet proto tcp from any to 173.194.44.84 port = http flags S/SA keep state (source-track rule, max-src-conn 200, max-src-conn-rate 17500/86400, src.track 86400) -- However, each of these IP addresses now has a set of 17500/86400. That's not exactly what I want. I need keep track of all requests made to each and every one of these IP addresses. I know that PF supports "source-track global" , but as I understand the option it was not meant to be used like that. Any thoughts or ideas are welcome!
