[prev in list] [next in list] [prev in thread] [next in thread]
List: inet-access
Subject: Re: Ratelimiting PPS per MAC address
From: Vicky Shrestha <mail () vickysh ! wlink ! com ! np>
Date: 2006-04-14 7:29:48
Message-ID: 443F4B34.2060108 () vickysh ! wlink ! com ! np
[Download RAW message or body]
Brian Reichert wrote:
> On Wed, Apr 12, 2006 at 11:35:02PM +0545, Vicky Shrestha wrote:
>
>>Jawaid Bazyar wrote:
>>
>>>Just use a BSD bridging firewall. There are many embedded PC's in the
>>>$200 to $300 range that will run BSD as a firewall.
>>
>>BSD firewalls such as ipfw or brconfig doesnot support my scenario. The
>>problem is that the mac addresses are not known beforehand.
>>
>>Can you suggest the firewall application that can do this ?
>
>
> I would hazard a packet scanner, external to the firewall software, could
> start populating your list of MACs, and dynamically craft packet filter
> rules to throttle a given MAC, once it's seen.
>
>
>>>>pass in quick on $ext_if proto tcp from any to <web_servers> port 80
>>>>keep state ( max 1000, source-track rule, max-src-conn-rate 15/1,
>>>>max-src-states 20 )
>
>
> Why _don't_ you know the the set of MACs? Is DNS/ARP not working
> for you?
Actually we have a wireless Network and Clients use PPPoE. The MAC
addresses are not known as clients can use any computer to connect to
the PPPoE server.
I need to limit the PPPoE PADI packets hiting the PPPoE Server using
some kind of L2 Firewall in between.
Thanks,
Vicky Shrestha
>
_______________________________________________
"Eat sushi frequently". - Avi
inet@inet-access.net is the human contact address.
list@inet-access.net is the list posting address.
See below URL for subscribe/unsubscribe and list options:
http://inet-access.net/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic