# IPFILTER limit concurrent TCP connections from IP ?



## rambetter (Apr 4, 2010)

I have IPFILTER installed on my FreeBSD 8.0 server.  The docs for this firewall software are here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html

I'm trying to mitigate the possibility of a Slowloris HTTP DoS attack, where a single attacker opens a bunch of TCP connections to port 80 of my server, and lets these connections sit idle or close to idle.  The Apache server reaches its MaxClients number and no additional connections can be made, denying normal users access to the website.

I want to try to limit the number of concurrent TCP connections from any given [fixed] IP address to port 80 of my server to 10 or so.  I'm trying to do this with IPFILTER.  So far I have found some HP-UX-specific information on how I might be able to do this: http://www.hpuxtips.es/?q=node/224 and http://docs.hp.com/en/B9901-90042/ch05s01.html

Is this sort of thing possible with IPFILTER on FreeBSD 8.0?  If not, would it be possible with OpenBSD's PF?  Also, is doing this sort of thing on the firewall a good idea?  Would it maybe expose some other vulnerability because of the extra resources needed on the firewall to keep track of stateful information?


----------



## DutchDaemon (Apr 5, 2010)

Is IPFILTER even being maintained anymore?

Search for max-src in pf.conf(5) for a number of examples. And don't worry about 'additional state load'. I have a firewall somewhere (PC hardware) that regularly runs 100,000 states. No sweat -- you just need to allow it in e.g. pf which has a default of 10,000 states.


----------



## rambetter (Apr 5, 2010)

I don't know if IPFILTER is still being maintained.  From reading the Handbook the answer appears to be "yes".  I'm using it on 2 other systems that I have and it works great.  In fact it works better than OpenBSD's PF in some areas.

So, for this particular case I will try PF.  Thanks for the help.


----------

