Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiting connections per external IP address

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 577 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ccgllcC
      ccgllc
      last edited by

      Hi all.

      A few months back I started running a TOR non-exit relay, with the TOR port NATed over to the server that supports it. Works just fine.

      Unfortunately there are those that believe TOR is evil and they have recently started to attack relays nodes with a connection attack. e.g. They flood the IP with connection request. This shows up on my server as a huge jump in CPU resources, warnings about not having enough CPU to support the number of connections, etc. I could actually live with that, since these attacks are not continuous.

      I have circumstantial experienced other services are being disrupted when these attacks happen. We have seen a marked increase in the number of unexpected issues, like Messenger Room connections failing, Netflix "unable to display this title", and similar issues. This is pissing my family off - which is uncool. Everything returns to normal when the attacks stop.

      Wondering if there is something simple I could do within my PFSense firewall to at least limit the attacks at the firewall? Thinking something like limiting the number of concurrent connections from an external IP to 30... or something like that.

      FWIW - I have a pretty straight forward PFSense Plus installation. I use it for NAT handling and DHCP and NTP services on my LAN. The most complicated things I've done is bridge 3 ethernet ports together to enable usage of more than 1 LAN port. So not a newbie, but hardly an expert.

      Appreciate any suggestions!

      A 1 Reply Last reply Reply Quote 0
      • A
        akuma1x @ccgllc
        last edited by

        @ccgllc If this is a normal WAN rule you have created to allow the traffic into your network, there is an option, under ADVANCED, where you can set a max number of unique source IP addresses. Might be worth a try.

        Maximum number of unique source hosts

        This option specifies how many total source IP addresses may simultaneously connect for this rule. Each source IP address is allowed an unlimited number of connections, but the total number of distinct source IP addresses allowed is restricted to this value.

        https://docs.netgate.com/pfsense/en/latest/firewall/configure.html

        ccgllcC 1 Reply Last reply Reply Quote 0
        • ccgllcC
          ccgllc @akuma1x
          last edited by

          @akuma1x Hmmm... that might help if the attacks are real DDOS style ones. It feels more like a machine or three spamming connection request - just trying to cause problems.

          Is there somewhere I can check to see the number of unique IPs currently connected to me? Would need a count, not a list. Its pretty easy, via "nyx" to know when I'm under attack. If I could see the count, I could tell if such a rule would help or not.

          A 1 Reply Last reply Reply Quote 0
          • A
            akuma1x @ccgllc
            last edited by

            @ccgllc said in Limiting connections per external IP address:

            Is there somewhere I can check to see the number of unique IPs currently connected to me? Would need a count, not a list.

            Does your TOR software not tell you a count of connected users? I really don't have any idea if they do or not, I don't use it, sorry.

            ccgllcC 1 Reply Last reply Reply Quote 0
            • ccgllcC
              ccgllc @akuma1x
              last edited by ccgllc

              @akuma1x Yeah... just dug around in nyx and found that. Something definitely amiss - I see 20K incoming connections but only 3.3K outbound. As a non-exit middle node, they should match - or so I think. Checking in with the TOR community to confirm that.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.