a b wrote: >> You can define a limit per-rule, like this: >> >> pass in proto tcp from any to any port 6881:6889 flags S keep state >> (limit 10) > > Hello Darren, > > would you please elaborate more on the ####:#### port syntax? Must the > (limit N) syntax be always combined with a port construct?
The limit is to do with states, not ports. >> pass in proto tcp from any to any port 6881:6889 flags S keep state >> pass in proto tcp from any to any port = ssh flags S keep state >> (limit 10) >> >> Will *always allow* upto 10 ssh connections, even if there are 100 >> bittorrent >> connections. > > Wouldn't it be cleaner to increase the size of the state table via an > IPF directive? No, because that is a global limit, not a local limit. Darren
