pf限制session數 - BBS

※ 引述《yao1973 (更!說話是會死喔?!)》之銘言：
: ※ 引述《arpcar (鯉魚)》之銘言：
: : 可以試試packet filter。功能強大﹐書寫簡便。
: : macro和table會讓生活變得輕鬆。
: 大大你好
: 我已經裝好了packet filter
: 也是著把NAT的防火牆設定 設定起來了
: 可是我在想 該如何用packet filter
: 來限制我NAT底下 某台電腦連外的session數呢？
: （我看到一些範例是在討論 頻寬設定的）
: 謝謝 :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from $int_if:network to any port $tcp_services \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)

max-src-conn is the number of simultaneous connections you allow from
one host. In this example, I’ve set it at 100, in your setup you may want a
slightly higher or lower value.
max-src-conn-rate is the rate of new connections allowed from any single
host, here 15 connections per 5 seconds. Again, you are the one to judge
what suits your setup.
overload <bruteforce> means that any host which exceeds these limits
gets its address added to the table bruteforce. Our rule set blocks all
traffic from addresses in the bruteforce table.

參見﹕Firewalling with OpenBSD's PF packet filter

--