Connection Rate Limit
I'm trying to limit the maximum connection rate to a web server by entering under Firewall/Rules/Edit:
Max. src. conn. Rate = 10 (per)
Max. src. conn. Rates = 60 (seconds)
Seems to have no effect. Is something else required to make this work?
Just bumping this because I can't figure out why it doesn't work.
Does anyone use this feature? Is it broken?
Without seeing the full set of rules and the full settings on that rule it's hard to say what might have happened here.
That limit would only set a new state count of 10 per 60 seconds on connections from the same host.
So if you have 50 clients connecting they could each make 10 connections per minute (so 500 total). Depending on how you are testing that could be why it appears to not work as you expect.
Also if you're testing in a browser, often times they don't close connections so if you are just refreshing the page that may only be 1-2 connections the whole time.
I've only been testing by watching logs of brute-forcers try to get to my server. In some cases they're hitting it at 2 or 3 per second for extended periods (BF.txt shows only one minute).
There is one NAT rule with a corresponding firewall rule where I set limits
Max.src. conn. Rate = 10 (per)
Max.src. conn. Rates = 60 (seconds)
Those are the only two changes to the automatically-generated rule.
And you're certain the traffic is hitting that rule? What does the rule hit counter show in the firewall rule list?
Thanks for looking at this jimp.
Definitely being hit. (Uptime is a little over a week)
Here's a screenshot:
Output from pfctl -s rules and pfctl -s NAT
block drop in quick from <virusprot>to any label "virusprot overload table" pass in log quick on em1 reply-to (em1 18.104.22.168) inet proto tcp from any to 192.168.11.3 port = http flags S/SA keep state (source-track rule, max-src-states 10, max-src-conn 10, max-src-conn-rate 5/60, overload <virusprot>flush global, tcp.established 3600, src.track 60) label "USER_RULE: NAT HTTP to WebServer" rdr on em1 inet proto tcp from any to [removed public IP] port = http -> 192.168.11.3</virusprot></virusprot>
Anything strange in there?