pf限制session數 - BBS
By Odelette
at 2005-12-08T17:24
at 2005-12-08T17:24
Table of Contents
※ 引述《yao1973 (更!說話是會死喔?!)》之銘言:
: ※ 引述《arpcar (鯉魚)》之銘言:
: : 可以試試packet filter。功能強大﹐書寫簡便。
: : macro和table會讓生活變得輕鬆。
: 大大你好
: 我已經裝好了packet filter
: 也是著把NAT的防火牆設定 設定起來了
: 可是我在想 該如何用packet filter
: 來限制我NAT底下 某台電腦連外的session數呢?
: (我看到一些範例是在討論 頻寬設定的)
: 謝謝 :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from $int_if:network to any port $tcp_services \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
max-src-conn is the number of simultaneous connections you allow from
one host. In this example, I’ve set it at 100, in your setup you may want a
slightly higher or lower value.
max-src-conn-rate is the rate of new connections allowed from any single
host, here 15 connections per 5 seconds. Again, you are the one to judge
what suits your setup.
overload <bruteforce> means that any host which exceeds these limits
gets its address added to the table bruteforce. Our rule set blocks all
traffic from addresses in the bruteforce table.
參見﹕Firewalling with OpenBSD's PF packet filter
--
: ※ 引述《arpcar (鯉魚)》之銘言:
: : 可以試試packet filter。功能強大﹐書寫簡便。
: : macro和table會讓生活變得輕鬆。
: 大大你好
: 我已經裝好了packet filter
: 也是著把NAT的防火牆設定 設定起來了
: 可是我在想 該如何用packet filter
: 來限制我NAT底下 某台電腦連外的session數呢?
: (我看到一些範例是在討論 頻寬設定的)
: 謝謝 :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from $int_if:network to any port $tcp_services \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
max-src-conn is the number of simultaneous connections you allow from
one host. In this example, I’ve set it at 100, in your setup you may want a
slightly higher or lower value.
max-src-conn-rate is the rate of new connections allowed from any single
host, here 15 connections per 5 seconds. Again, you are the one to judge
what suits your setup.
overload <bruteforce> means that any host which exceeds these limits
gets its address added to the table bruteforce. Our rule set blocks all
traffic from addresses in the bruteforce table.
參見﹕Firewalling with OpenBSD's PF packet filter
--
Tags:
BBS
All Comments
Related Posts
Re: 請先進們幫我看看這錯誤訊息,小弟無法解讀
By Caroline
at 2005-12-07T20:13
at 2005-12-07T20:13
ipfw限制session數
By Kelly
at 2005-12-07T13:40
at 2005-12-07T13:40
ipfw限制session數
By Quintina
at 2005-12-07T03:24
at 2005-12-07T03:24
外接式硬碟裝FreeBSD?
By Tracy
at 2005-12-06T23:41
at 2005-12-06T23:41
acroread7 的字型 "cannot find or create font"
By Puput
at 2005-12-06T22:10
at 2005-12-06T22:10