The pf config for my webserver transforms IPv4 traffic like this:
I want to add connection limits (
Code:
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port {80, 443} af-to inet6 from $bastille_ip6 to $webjail_ip6
pass quick on {$ext_if, $jail_if} inet6 proto tcp from any to $webjail_ip6 port {80, 443}I want to add connection limits (
max-src-conn and max-src-conn-rate) to block aggressive crawlers, but this will block $bastille_ip6 (as the source address for all transformed IPv4 connections) pretty quickly if the limit is defined for the IPv6 rule. Would something like this work:
Code:
table <bruteforce> persist
block quick from <bruteforce>
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port {80, 443} af-to inet6 from $bastille_ip6 to $webjail_ip6 keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)
pass quick on {$ext_if, $jail_if} inet6 proto tcp from $bastille_ip6 to $webjail_ip6 port {80, 443}
pass quick on {$ext_if, $jail_if} inet6 proto tcp from !$bastille_ip6 to $webjail_ip6 port {80, 443} keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)