Hi,
We are thinking about limiting the amount of connections that can be
open per IP address. We want to avoid getting hammered on a web service
that is used by some clients. We've discovered that they sometimes open
just as many http connections that they can to perform http queries. We
will ask them to change their application to limit the number of
concurrent queries, but we're looking for a way to limit the abusers on
our side as well. We guess that we can do that on the web server side,
but I think that the pfSense may be of help.
In our situation, since they are mostly "legitimate" queries, I don't
think that there would be a difference between using the Maximum number
of established connections or Maximum number of state entries.
I have two questions:
I think that when an IP address hits the limit, the packets are dropped
by the default rule, right?
I did some testing and it looks like the tcp connection is not really
closed as soon as the http query is complete, so even if an application
sends us queries in a serial mode (one http query at the time), many
queries would get blocked if I set the Maximum number of established
connections per host to 1. My goal is not to set that to 1 but I just
want to illustrate the fact that if I tell the client to limit the # of
concurrent http query to 100, for example, I can't simply set the
parameter to 100. According to my tests, 50 threads can get the
connection count to around 4 000.
Any input would be appreciated.
Thanks,
Ugo
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold