Jose, The 'src-limit' counter advances by one for every packet blocked by a rate limited rule. If you write a pf rule using stateful tracking options to allow connections at a rate of 20 per 60 seconds then packets arriving faster than this would be blocked. You could then look at the 'src-limit' value in pfctl -si to see how many packets were dropped in this way.
I do not believe packets dropped by a rate limited rule are logged as logging a DDOS attack might stress the machine. Hope this helps. OpenBSD Pf Firewall "how to" ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Mon, Mar 24, 2008 at 08:52:50AM -0500, Jose Fragoso wrote: >Hi, > >I searched the FAQ and the man pages (for pf, pf.conf and pfctl.conf), >but I did not find a definition for the src-limit counter which is >showed by the command pfctl -si. > >With pfctl -sa I saw this: > >LIMITS: >states hard limit 200000 >src-nodes hard limit 10000 >frags hard limit 5000 >tables hard limit 1000 >table-entries hard limit 200000 > >So I am guessing that src-limit has something to do with src-nodes. >Is it a limit of different source concurrent IP address for >connections? I am seeing this counter increase in one of the >machines I control. > >If someone could point out where to find more information about >this counter, I would appreciate. > >Thanks in advance. > >Regards, > >Jose. > >-- >Want an e-mail address like mine? >Get a free e-mail account today at www.mail.com!
