[unisog] High speed firewalls - Connections per second not bi ts per second

Getchell, Adam acgetchell at ucdavis.edu
Tue Feb 22 19:52:15 GMT 2005

> I seem to recall someone adding a connection rate limiting 
> per source IP on some firewall product but I can't recall 
> which one.  The problem you're having is that the 1k cps is 
> shared amongst all your users rather than giving an 
> individual IP his own right to kill his own connection.  This 
> has got to be a common problem for fw vendors these days.
> In quick googling, I've seen hints that iptables and maybe 
> very new OpenBSD/pf support them.  Surely some commercial 
> product also contains that feature.

Sure, it's not really a problem using OpenBSD/pf.

For example, the rule:

pass in on $ext_if inet proto tcp from any to port = www \
	flags S/SA  synproxy state (source-track rule, max-src-conn 1000, \
	max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5) 

Completes the 3-way handshake on the firewall before passing the connection
to the host (synproxy state)

Allows a 1000 maximum connections from a given source at a rate of 1000 per
5 seconds (max-src-conn 1000, max-src-conn-rate 1000/5), passes hosts which
exceed these bounds into the <bad> table and flushes all connections
originating from that host (overload <bad> flush global), and retains source
tracking entries for 5 seconds after the last state expires (src.track 5).

Combine this with adaptive state table entries and you'll ensure that you
don't run out of states.

> Chris

* Adam Getchell, M.S.
* Application Developer
* College of Agricultural & Environmental Sciences Deans' Office
* acgetchell at ucdavis.edu      (530)752-9284
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu 

More information about the unisog mailing list