max-src-conn-rate (Connection rate throttling per IP)

Benoit Panizzon benoit.panizzon at
Tue Aug 30 14:40:55 CEST 2005

Hi all

I'm looking for a way to prevent connection DOSing of specific services.

The goal is to count the connection rate per conneting ip and then reject 
those connections if they pass a certain limit.

It looks like OpenBSD's pf is the only packet filter (except some commerctial 
Firewalls) which has this ability.

The best I managed with iptables is to throttle the connection rate for a 
specific port, but this of course affecs normal users trying to use that 
service and does not change the fact of the service being DOSed.

The other possibility I found is to write my own userspace QUEUE target 
connection rate tracker via the iptables api. But as I'm not a programmer and 
I think this is a quite common request I just wonder:

Hasn't allready somebody written such a per source connection rate limmiter?

Is there a repository of different userspace QUEUE tools where I could find 
something similar?

Benoît Panizzon, <bp at>
ImproWare AG, UNIXSP & ISP                   Phone:   +41 61 826 93 00
			     Kabelinternet-Hotline:   +41 61 826 93 07
Zurlindenstrasse 29                            Fax:   +41 61 826 93 01
CH-4133 Pratteln                               Net:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20050830/460a0388/attachment.bin

More information about the netfilter mailing list