# UDP blocking with rate limits



## seaquest (Nov 2, 2013)

Hi,

I know PF max-src-conn, max-src-conn-rate and such options are used only for TCP, because of IP spoof vulnerable character of UDP. Knowing this, however, I want to limit UDP traffic according to source IP. For example, a single IP should be able to send 200 UDP pps to a single IP target. 
Is there any method for this in FreeBSD world, pf, ipf, ipfw etc.?

Regards,


----------



## santosaka (Apr 30, 2014)

Hi,

Do we have this feature? I want to limit the client also. *F*or example, I want to limit to "10 ping packet*s* per second".

Regards,
Santo Saka


----------



## williamy (Apr 30, 2014)

Sorry to disappoint you that the firewall doesn't have the feature you want. I met this requirement once, but I was using Linux last time,so quite easy to have this feature. By the way, any people want this feature on IPFW?


----------



## williamy (Apr 30, 2014)

Seems someone ask for this same feature in 2003! and we still don't have this feature! check the link below.
http://lists.freebsd.org/pipermail/free ... 00074.html

So now I p_ro_rpose two way_s_ to implement this feature, and they are going to be 

1. implement a new action name `pps`, short for `pps per second`, and the usage will be as below

```
ipfw add pps 1 icmp from any to any
```
it means `allow 1 icmp packet per second ` via this rule, other wise , it will be dropped.

2. as what luigi said, implement it in the dummynet way.

```
ipfw pipe 1 config pps 2
ipfw add pipe 1 icmp from any to any
```
that means the pipe 1 will allow 2 packets per second, and the ipfw rule will invoke the pipe as result.

So which is better?


----------



## williamy (May 12, 2014)

Pacth submitted.
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/189721


----------

