ok I am trying to get an effective rate limit in place for apache and other services.
PF has as many know a rate limit feature that on paper is very useful.
max-src-conn
and
max-src-conn-rate
If it worked liked iptables (which works very well) it would only class established connections as connected. But it seems it also counts all time_wait and fin_wait as well. So what does this mean in practice.
Well eg. I can set max-src-conn to 40, and load my website with IE (very popular browser) which defaults to max 12 connection on http 1.0 and 6 on http 1.1, by default http 1.1 is enabled for direct connections and 1.0 is used for proxy connections.
On my IE browser http 1.1 is disabled as I use a proxy.
When I load my website which has the main page + 9 images only 4 images load and the rest timeout, on checking my states in pf with pfctl -ss there is about 30-40 in time_wait.
I found to view my website with 9 images in http 1.0 I had to set the limit to 120. So a single load of my site I had to set the limit to over 10x the amount of images and to 10x the limit of my connections in the browser. When using http 1.1 I was however able to load the site fine and I only seen ESTABLISHED and CLOSED states in PF.
This behaviour does not change between keep state and synproxy state.
I have read in numerous places on the internet of people using low values like 15/1 40 25/3 and so on, all these in production use would cause all sorts of problems because of the problem I described above. Only one hit on google found a person who discovered the same problem, another person on this forum. So either people are accepting there will be usability issues on their sites, found another solution but not published it or stopped using max-src-conn with these published settings.
I am fairly convinced the solution is so that max-src-conn does not count states after they leave the established state but I believe that is not something I can do in configuration but requires a change in how pf operates but I would love for someone to come out and say no it can be done in configuration. I also am considering setting all of the following to just 1sec.
tcp.closing
tcp.finwait
tcp.closed
interval
however I am fairly sure this would cause other problems.
any thoughts?
PF has as many know a rate limit feature that on paper is very useful.
max-src-conn
and
max-src-conn-rate
If it worked liked iptables (which works very well) it would only class established connections as connected. But it seems it also counts all time_wait and fin_wait as well. So what does this mean in practice.
Well eg. I can set max-src-conn to 40, and load my website with IE (very popular browser) which defaults to max 12 connection on http 1.0 and 6 on http 1.1, by default http 1.1 is enabled for direct connections and 1.0 is used for proxy connections.
On my IE browser http 1.1 is disabled as I use a proxy.
When I load my website which has the main page + 9 images only 4 images load and the rest timeout, on checking my states in pf with pfctl -ss there is about 30-40 in time_wait.
I found to view my website with 9 images in http 1.0 I had to set the limit to 120. So a single load of my site I had to set the limit to over 10x the amount of images and to 10x the limit of my connections in the browser. When using http 1.1 I was however able to load the site fine and I only seen ESTABLISHED and CLOSED states in PF.
This behaviour does not change between keep state and synproxy state.
I have read in numerous places on the internet of people using low values like 15/1 40 25/3 and so on, all these in production use would cause all sorts of problems because of the problem I described above. Only one hit on google found a person who discovered the same problem, another person on this forum. So either people are accepting there will be usability issues on their sites, found another solution but not published it or stopped using max-src-conn with these published settings.
I am fairly convinced the solution is so that max-src-conn does not count states after they leave the established state but I believe that is not something I can do in configuration but requires a change in how pf operates but I would love for someone to come out and say no it can be done in configuration. I also am considering setting all of the following to just 1sec.
tcp.closing
tcp.finwait
tcp.closed
interval
however I am fairly sure this would cause other problems.
any thoughts?