Mikkel Bang <facebookman...@gmail.com> writes: > Turns out this (http://home.nuug.no/~peter/pf/en/long-firewall.html) bans > any IP connecting from mobile devices:
Well, that document says a lot of other stuff too, so please be more specific. > pass in on $ext_if inet proto tcp from any to any port 80 keep state > (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush > global) > > Works fine when connecting from regular PCs though. Why is that? Do mobile > devices connect differently somehow? Somehow your mobiles hit either the fifteen new connections per five seconds max (that's only three new connections per second) or the 100 simultaneous connections. Impossible to say which one without studying the actual session data via tcpdump. Unless the back end is too brittle, consider loosening the rate limiting or discarding it altogether. You could try temporarily removing either the max-src-conn or the max-src-conn-rate setting to see which one trips up the mobiles. Possibly relevant question: do all clients receive the same content, or is there a separate version you serve to mobile clients? - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
