Limit ftp connections with pf firewall at FreeBSD

Question

I want to limit simultaneous FTP connections to my FreeBSD server with the pf firewall. For example that only 10 simultaneous connection are possible to the port 20 or 21 from one source IP.

I use for this, this rule:

pass in quick proto tcp from any to em0 port {20, 21} keep state (max-src-conn 10)

The problem is that every upload or download produce a state entry with the state FIN_WAIT_2:FIN_WAIT_2 when it is finished. This state will be only removed when the tcp.finwait timeout is reached. After 10 of this FIN_WAIT states doesn't accept the server new data connection. This is a problem when you try to down- or upload multiple files sequential with a single ftp login.

Has anyone a good solution for this problem?

alternately - find an FTP daemon that does this for you. – Dan Pritts Dec 17 '13 at 17:33 — Dan Pritts, Dec 17 '13 at 17:33

score 0 · Answer 1 · answered Dec 20 '13 at 16:05

0

This could easily done with rctl. You would run the ftp daemon with a unique UID and limit the number of processes to this UID. That's it.

You may need to recompile the kernel with

options RACCT
options RCTL

and than you can use rctl like this:

rctl -a user:ftp:maxproc:deny=11

Have a look at man rctl and you will love it ;)

answered Dec 20 '13 at 16:05

Jimmy Koerting

151
1
8

Oh, and yes. You could also install proftpd - here you can limit this out of the box: http://www.proftpd.org/docs/directives/linked/config_ref_MaxClients.html – Jimmy Koerting Dec 20 '13 at 16:07

Limit ftp connections with pf firewall at FreeBSD

1 Answers1