[unisog] High speed firewalls - Connections per second not bi
ts per second
acgetchell at ucdavis.edu
Tue Feb 22 19:52:15 GMT 2005
> I seem to recall someone adding a connection rate limiting
> per source IP on some firewall product but I can't recall
> which one. The problem you're having is that the 1k cps is
> shared amongst all your users rather than giving an
> individual IP his own right to kill his own connection. This
> has got to be a common problem for fw vendors these days.
> In quick googling, I've seen hints that iptables and maybe
> very new OpenBSD/pf support them. Surely some commercial
> product also contains that feature.
Sure, it's not really a problem using OpenBSD/pf.
For example, the rule:
pass in on $ext_if inet proto tcp from any to 10.0.0.1 port = www \
flags S/SA synproxy state (source-track rule, max-src-conn 1000, \
max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5)
Completes the 3-way handshake on the firewall before passing the connection
to the host (synproxy state)
Allows a 1000 maximum connections from a given source at a rate of 1000 per
5 seconds (max-src-conn 1000, max-src-conn-rate 1000/5), passes hosts which
exceed these bounds into the <bad> table and flushes all connections
originating from that host (overload <bad> flush global), and retains source
tracking entries for 5 seconds after the last state expires (src.track 5).
Combine this with adaptive state table entries and you'll ensure that you
don't run out of states.
* Adam Getchell, M.S.
* Application Developer
* College of Agricultural & Environmental Sciences Deans' Office
* acgetchell at ucdavis.edu (530)752-9284
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
More information about the unisog