- 论坛徽章:
- 0
|
man pf.conf
里面有
STATEFUL TRACKING OPTIONS
All three of keep state, modulate state and synproxy state support the
following options:
max _number_
Limits the number of concurrent states the rule may create. When
this limit is reached, further packets matching the rule that would
create state are dropped, until existing states time out.
no-sync
Prevent state changes for states created by this rule from appear-
ing on the pfsync(4) interface.
_timeout_ _seconds_
Changes the timeout values used for states created by this rule.
For a list of all valid timeout names, see OPTIONS above.
Multiple options can be specified, separated by commas:
pass in proto tcp from any to any \
port www flags S/SA keep state \
(max 100, source-track rule, max-src-nodes 75, \
max-src-states 3, tcp.established 60, tcp.closing 5)
When the source-track keyword is specified, the number of states per
source IP is tracked.
source-track rule
The maximum number of states created by this rule is limited by the
rule's max-src-nodes and max-src-states options. Only state en-
tries created by this particular rule count toward the rule's lim-
its.
source-track global
The number of states created by all rules that use this option is
limited. Each rule can specify different max-src-nodes and max-
src-states options, however state entries created by any partici-
pating rule count towards each individual rule's limits.
The following limits can be set:
max-src-nodes _number_
Limits the maximum number of source addresses which can simultane-
ously have state table entries.
max-src-states _number_
Limits the maximum number of simultaneous state entries that a sin-
gle source address can create with this rule.
For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforced
per source IP.
max-src-conn _number_
Limits the maximum number of simultaneous TCP connections which
have completed the 3-way handshake that a single host can make.
max-src-conn-rate _number_ / _seconds_
Limit the rate of new connections over a time interval. The con-
nection rate is an approximation calculated as a moving average.
Because the 3-way handshake ensures that the source address is not being
spoofed, more aggressive action can be taken based on these limits. With
the overload _table_ state option, source IP addresses which hit either
of the limits on established connections will be added to the named
table. This table can be used in the ruleset to block further activity
from the offending host, redirect it to a tarpit process, or restrict its
bandwidth.
The optional flush keyword kills all states created by the matching rule
which originate from the host which exceeds these limits. The global
modifier to the flush command kills all states originating from the of-
fending host, regardless of which rule created the state.
For example, the following rules will protect the webserver against hosts
making more than 100 connections in 10 seconds. Any host which connects
faster than this rate will have its address added to the <bad_hosts>
table and have all states originating from it flushed. Any new packets
arriving from this host will be dropped unconditionally by the block
rule.
block quick from <bad_hosts>
pass in on $ext_if proto tcp to $webserver port www flags S/SA keep state \
(max-src-conn-rate 100/10, overload <bad_hosts> flush global)
http://www.openbsd.org/cgi-bin/m ... 386&format=html |
|
免费注册
楼主: 100000
发表于 2006-01-16 09:01
发表于 2006-01-16 09:45
