I'm following this guide to set up OpenBSD Packet Filter rules on my FreeBSD 8.0 system:
http://www.openbsd.org/faq/pf/filter.html
My goal is to limit the number of concurrent TCP connections from any given IP address to my webserver to 10 connections. I started with the following rules in my /etc/pf.conf, which worked fairly well (but I will describe the problem later):
When I load these rules and try to connect 100 TCP sockets to my webserver, the webserver (httpd) still spawns 100 child processes to handle the 100 incoming TCP connections. Also during the few seconds that the 100 connections are made, I ran ``pfctl -s state'' to check out the PF state table. This is what I got:
Apparently (and this is my guess), PF closed the connections once the 3-way handshake was made. However, since the 3-way handshake was made, Apache did spawn child processes to handle these requests. Now that is the very thing I'm trying to avoid - I don't want Apache to spawn more than 10 child processes for any given IP address that it's handling.
OK, so my next step is to try to use PF's TCP SYN Proxy. Sounds reasonable, right? This way, PF will do the handshake itself without passing the SYN packet to the Apache webserver (delay the handshake with Apache until later). In order to just try out the SYN proxy without trying to limit the connections from one IP address to 10, I wrote a simple pf.conf ruleset like so:
Now, when I load this ruleset and attempt a single TCP connection to the webserver, I get this in the output of my ``pfctl -s state'' command:
The person trying to connect via TCP to the webserver just waits forever.
I believe that the overall correct approach to what I'm trying to do is to get synproxy to work. And then use the max-src-conn syntax to only allow 10 concurrent connections per IP address. Am I correct?
How do I get synproxy to work? Should I ask about this on the OpenBSD forums since Packet Filter is from OpenBSD? Where else can I ask about this?
http://www.openbsd.org/faq/pf/filter.html
My goal is to limit the number of concurrent TCP connections from any given IP address to my webserver to 10 connections. I started with the following rules in my /etc/pf.conf, which worked fairly well (but I will describe the problem later):
Code:
ext_if = "em0"
pass in on $ext_if proto tcp from any to any port = http flags S/SA \
keep state (source-track rule, max-src-conn 10)
When I load these rules and try to connect 100 TCP sockets to my webserver, the webserver (httpd) still spawns 100 child processes to handle the 100 incoming TCP connections. Also during the few seconds that the 100 connections are made, I ran ``pfctl -s state'' to check out the PF state table. This is what I got:
Code:
all tcp 64.156.193.115:80 <- 64.156.192.169:62709 ESTABLISHED:ESTABLISHED
...
<10 lines of ESTABLISHED>
...
all tcp 64.156.193.115:80 <- 64.156.192.169:56010 ESTABLISHED:ESTABLISHED
all tcp 64.156.193.115:80 <- 64.156.192.169:55621 CLOSED:CLOSED
...
<very many lines of CLOSED>
all tcp 64.156.193.115:80 <- 64.156.192.169:55621 CLOSED:CLOSED
Apparently (and this is my guess), PF closed the connections once the 3-way handshake was made. However, since the 3-way handshake was made, Apache did spawn child processes to handle these requests. Now that is the very thing I'm trying to avoid - I don't want Apache to spawn more than 10 child processes for any given IP address that it's handling.
OK, so my next step is to try to use PF's TCP SYN Proxy. Sounds reasonable, right? This way, PF will do the handshake itself without passing the SYN packet to the Apache webserver (delay the handshake with Apache until later). In order to just try out the SYN proxy without trying to limit the connections from one IP address to 10, I wrote a simple pf.conf ruleset like so:
Code:
ext_if = "em0"
pass in on $ext_if proto tcp from any to any port = http flags S/SA \
synproxy state
Now, when I load this ruleset and attempt a single TCP connection to the webserver, I get this in the output of my ``pfctl -s state'' command:
Code:
all tcp 64.156.193.115:80 <- 99.50.206.241:37880 PROXY:DST
The person trying to connect via TCP to the webserver just waits forever.
I believe that the overall correct approach to what I'm trying to do is to get synproxy to work. And then use the max-src-conn syntax to only allow 10 concurrent connections per IP address. Am I correct?
How do I get synproxy to work? Should I ask about this on the OpenBSD forums since Packet Filter is from OpenBSD? Where else can I ask about this?