Something that I've been putting off forever and ever is providing the means to support host based limits with stateful filtering. Something that would allow you to limit a rule to n state table entries and of those n entries, allow only m per host.
So while I'm just thinking about this, I'm curious for some input on how the syntax should work or what are the useful parameters to input here. For example: pass in proto tcp all flags S keep state(max-srcs 10; max-per-src 3;) pass in proto tcp all flags S keep state(max-srcs 10; max-per-src 3/20;) Whilst I don't know of any uses that are interested in defining a limit on a per-destination basis, I'd rather design the source based limiting in a way to allow for that later, if needed. So there are three important things to capture in this: - how many addresses are going to be tracked at any one time; - how many connections those addresses will be allowed to have; - what netmask to apply to the addresses tracked. The "max-per-src 3" would imply per-/32 address. A similar syntax is also required for at least the FTP proxy. So in ipnat.conf, we'd need something like this: map fxp0 0/0 -> 0/32 proxy port ftp ftp/tcp config(max-clients 10; max-client-data 3/20;) Thoughts? Darren
