Can ipfw be used to limit concurrent requests from an IP?

Michael Sierchio kudzu at
Tue May 31 22:00:34 UTC 2016

You can use dummynet  pipes (and optionally queues) with a mask for this.
You can specify queue size in slots. You can also make use of red/gred (see
the manpage).

I might choose a larger mask than 0xffffffff because a new pipe will be
instantiated for each matching address.

a very simple example

ipfw pipe 1 config bw 800Byte/s mask src-ip 0xffffc000
ipfw add pipe 1 tcp from any to me ssh in recv $OIF setup

- M

On Fri, May 27, 2016 at 12:34 PM, Will Squire <will_squire at>
> Can ipfw limit the number requests in a given amount of time from a
specific IP?
> To contextualise, if an IP sends requests in high concurrency (let's say
50 a second) can ipfw either block requests the exceed a threshold for that
second (lets say the threshold is 20, 30 would be blocked), or ban/deny the
given IP for exceeding a threshold?
> The aim is to lessen strain under DoS attacks, specifically for HTTP. The
system is using Apache and mod_evasive has been added and tested, but it is
not functioning correctly.
> (P.S. The freebsd-ipfw list seems to be for development of the technology
only, so asking this here. Please let me know if this isn’t the case)
> Thanks
> Kind regards,
> Will Squire
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "
freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list