# PF max-src-conn and closed connections causing problems



## chrcol (May 3, 2010)

ok I am trying to get an effective rate limit in place for apache and other services.

PF has as many know a rate limit feature that on paper is very useful.

max-src-conn
and
max-src-conn-rate

If it worked liked iptables (which works very well) it would only class established connections as connected.  But it seems it also counts all time_wait and fin_wait as well. So what does this mean in practice.

Well eg. I can set max-src-conn to 40, and load my website with IE (very popular browser) which defaults to max 12 connection on http 1.0 and 6 on http 1.1, by default http 1.1 is enabled for direct connections and 1.0 is used for proxy connections.

On my IE browser http 1.1 is disabled as I use a proxy.

When I load my website which has the main page + 9 images only 4 images load and the rest timeout, on checking my states in pf with pfctl -ss there is about 30-40 in time_wait.

I found to view my website with 9 images in http 1.0 I had to set the limit to 120.  So a single load of my site I had to set the limit to over 10x the amount of images and to 10x the limit of my connections in the browser.  When using http 1.1 I was however able to load the site fine and I only seen ESTABLISHED and CLOSED states in PF.

This behaviour does not change between keep state and synproxy state.

I have read in numerous places on the internet of people using low values like 15/1 40 25/3 and so on, all these in production use would cause all sorts of problems because of the problem I described above.  Only one hit on google found a person who discovered the same problem, another person on this forum.  So either people are accepting there will be usability issues on their sites, found another solution but not published it or stopped using max-src-conn with these published settings.

I am fairly convinced the solution is so that max-src-conn does not count states after they leave the established state but I believe that is not something I can do in configuration but requires a change in how pf operates but I would love for someone to come out and say no it can be done in configuration.  I also am considering setting all of the following to just 1sec.

tcp.closing
tcp.finwait
tcp.closed
interval

however I am fairly sure this would cause other problems.

any thoughts?


----------



## darkmark (May 5, 2010)

Well, as you know, HTTP/1.0 without keep-alives is going to create a new connection for each element on the page.  For a single html page with 9 images, you would only create 10 connections at most.   

Something else is affecting your test to create 40 connections. Perhaps you are counting cumulative connections, because of re-transferring the site multiple times in your browser, eventually creating 40 connections in TIME_WAIT.

I'd suggest clearing the state table, re-run your test, perhaps with a simultaneous tcpdump to see where all those connections are coming from.  

My experience is that the pf defaults are pretty reasonable and that most agents are using HTTP/1.1 with much lower connection requirements.

That said, pf is a firewall, and firewalls are easily subject to DOS despite max-src-conn.  If it's a busy website, it's better to carefully build the webservice and OS as a minimalist and high performance package as possible and do any ACL and protection at the switch.


----------

