Toomas Aas wrote:
> Hello!
>
> I have an internal network behind a gateway running ipfilter/ipnat. Is
> it possible to limit the number of simultaneous outgoing connections
> per internal client? For example, if some client runs something like
> eMule or bittorrent it creates a lot of outgoing connections which are
> passed by a 'keep state' filter rule, and I'm afraid it fills up the
> state table.
You can define a limit per-rule, like this:
pass in proto tcp from any to any port 6881:6889 flags S keep state
(limit 10)
pass out proto tcp from any to any port 6881:6889 flags S keep state
(limit 10)
To limit inbound and outbound bittorrent connections to 10 each.
You can also over commit with rules, so that if your state table had a
max size of
100 but you had a rule like this:
pass in proto tcp from any to any port 6881:6889 flags S keep state
pass in proto tcp from any to any port = ssh flags S keep state (limit 10)
Will *always allow* upto 10 ssh connections, even if there are 100
bittorrent
connections.
Darren
|