UDP blocking with rate limits

Hi,

I know PF max-src-conn, max-src-conn-rate and such options are used only for TCP, because of IP spoof vulnerable character of UDP. Knowing this, however, I want to limit UDP traffic according to source IP. For example, a single IP should be able to send 200 UDP pps to a single IP target.
Is there any method for this in FreeBSD world, pf, ipf, ipfw etc.?

Regards,
 
Hi,

Do we have this feature? I want to limit the client also. For example, I want to limit to "10 ping packets per second".

Regards,
Santo Saka
 
Sorry to disappoint you that the firewall doesn't have the feature you want. I met this requirement once, but I was using Linux last time,so quite easy to have this feature. By the way, any people want this feature on IPFW?
 
Seems someone ask for this same feature in 2003! and we still don't have this feature! check the link below.
http://lists.freebsd.org/pipermail/free ... 00074.html

So now I prorpose two ways to implement this feature, and they are going to be

1. implement a new action name `pps`, short for `pps per second`, and the usage will be as below
Code:
ipfw add pps 1 icmp from any to any
it means `allow 1 icmp packet per second ` via this rule, other wise , it will be dropped.

2. as what luigi said, implement it in the dummynet way.
Code:
ipfw pipe 1 config pps 2
ipfw add pipe 1 icmp from any to any
that means the pipe 1 will allow 2 packets per second, and the ipfw rule will invoke the pipe as result.

So which is better?
 
Back
Top