Source Tracking in PF

Contributed by jose on 2003-12-15 from the new-features dept.

I saw a new feature has been added to PF :


Subject:  Source Tracking in PF
From:     Ryan McBride

Date:     2003-12-15 0:23:58

I just committed code which adds support to track stateful connections
by source IP address. This allows a user to:
- Ensure that clients get a consistent IP mapping with load-balanced
  translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule

As always, the more people who test this and provide feedback, the
happier I am. Read below for details.

-Ryan

Read Ryan's mail for a longer description of how to do this. Those of you multihoming or load balancing with PF are going to love this.

(Comments are closed)

Comments

By Anonymous Coward () on 2003-12-15 08:56

I am specially thinking about all the guys in the apache and www-servers newsgroups asking how to limit the number of simultaneous connections to Apache :-)
Thanks!
Comments
1. By Anonymous Coward () on 2003-12-15 11:09
  
  Isn't there already this option, something like tcp.100 or tcp(100) something like this. I'm just going by memory.
2. By Anonymous Coward () on 2003-12-17 07:25
  
  Which is not so good since alot of people sits behind NAT gateways.
By gwyllion () on 2003-12-15 09:28

I saw an other new feature has been added to PF :
Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls.
By Anonymous Coward () on 2003-12-15 11:19

From the email example...

The following rule allows a maximum of 1000 source ip's to connect to a webserver, each with a maximum of 3 simultaneous states: pass in on $ext_if proto tcp to $webserver port www flags S/SA keep state (source-track, max-src-states 3, max-src-nodes 10)

Shouldn't that be "max-src-nodes 1000" instead of 10? Just wanting to make sure I understood the example correctly. :)
Comments
1. By Foxy () foxy@free.fr on 2003-12-15 15:38 http://foxy.free.fr
  
  Shouldn't that be "max-src-nodes 1000" instead of 10? Just wanting to make sure I understood the example correctly. You understand correctly : with "max-src-nodes 10", it's a maximum of 10 (NOT 1000) source ip's that be able to connect to the server.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]