Tag Archive for 'pf'

OpenBSD PF: limit incoming connections per time period

In iptables there is a nice module called hashlimit.

Being in love with OpenBSD and PF, I decided to find if this wonderful firewall has the same feature.

As a minimal example, you can use this rule to allow =< 2 SSH connections per 60 seconds:

pass in on $ext_if proto tcp from any to any port 22 keep state (max-src-conn-rate 2/60)

Note that you have to use parentheses, even using just one option (max-src-conn-rate), otherwise you’ll get an error while parsing the ruleset.
Keep in mind that one of keep state, modulate state, or synproxy state must be specified explicitly to apply this option to a rule.

For more information read the documentation for pf.conf syntax.

OpenBSD. Ограничение потока в ALTQ 4 гбит/с

Вряд ли конечно придется попробовать ALTQ на 10-гигабитных интерфейсах, но тем не менее не стоит забывать:

ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb.
This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any
higher, altq will flip back to zero. This “bug” was found when trying
to test 10 gigabit and 40 gigabit bandwidth models. These tests were
done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit.


Изменения в pf.conf с версии 4.7 OpenBSD

Наглядная памятка, что поменялось в NAT, начиная с версии OpenBSD 4.7.

Подробности тут http://openbsd.org/faq/pf/nat.html

и тут http://home.nuug.no/~peter/pf/en/gwsimplesetup.html