Can ipfw be used to limit concurrent requests from an IP?

Michael Sierchio kudzu at tenebras.com
Tue May 31 22:00:34 UTC 2016


You can use dummynet  pipes (and optionally queues) with a mask for this.
You can specify queue size in slots. You can also make use of red/gred (see
the manpage).

I might choose a larger mask than 0xffffffff because a new pipe will be
instantiated for each matching address.

a very simple example

ipfw pipe 1 config bw 800Byte/s mask src-ip 0xffffc000
ipfw add pipe 1 tcp from any to me ssh in recv $OIF setup

- M



On Fri, May 27, 2016 at 12:34 PM, Will Squire <will_squire at hotmail.co.uk>
wrote:
>
> Can ipfw limit the number requests in a given amount of time from a
specific IP?
>
> To contextualise, if an IP sends requests in high concurrency (let's say
50 a second) can ipfw either block requests the exceed a threshold for that
second (lets say the threshold is 20, 30 would be blocked), or ban/deny the
given IP for exceeding a threshold?
>
> The aim is to lessen strain under DoS attacks, specifically for HTTP. The
system is using Apache and mod_evasive has been added and tested, but it is
not functioning correctly.
>
> (P.S. The freebsd-ipfw list seems to be for development of the technology
only, so asking this here. Please let me know if this isn’t the case)
>
>
> Thanks
>
> Kind regards,
>
> Will Squire
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
freebsd-questions-unsubscribe at freebsd.org"


More information about the freebsd-questions mailing list