Hi
To reduce the impact of possible future DoS attacks, I want to make use of max-src-conn and max-src-conn-rate to limit a single IP address from creating unlimited TCP states, as well as limit how fast new TCP sessions can be created.
:: pf.conf :: IFEXT = "igb0" MAXSRCCONN = "50" # 50 connections per source IP MAXSRCCONNRATE = "5/5" # 5 new syns per 5 secs IP4 = "a.b.c.d" IP6 = "aaaa:bbbb:cccc:dddd::eeee" ORPORT = "9001" table <blockORPORT> persist pass in on $IFEXT inet proto tcp from any to $IP4 port $ORPORT \ flags S/SA modulate state (max-src-conn $MAXSRCCONN, \ max-src-conn-rate $MAXSRCCONNRATE,overload <blockORPORT>) pass in on $IFEXT inet6 proto tcp from any to $IP6 port $ORPORT \ flags S/SA modulate state (max-src-conn $MAXSRCCONN, \ max-src-conn-rate $MAXSRCCONNRATE,overload <blockORPORT>) :: cronjob to release blocked IPs :: (5 minutes cronjob, holds blocked IPs for roughly 4000 secs) pfctl -t blockORPORT -T expire 4000 You can go for `keep state´ instead of `modulate state´. Cheers