* der Mouse <mouse@Rodents.Montreal.QC.CA> [2006-04-04 16:42]:
> [top-posting fixed up manually]
> >>> is it possible to limit active sessions number by IP address[?]
> >> Maybe.  What's a "session"?  [some possibilities]
> > I mean for all TCP sessions.  [both NATted and not]
> 
> Hm.  I don't know of any way to limit NAT state per IP, but such a
> thing could exist.  Since the kernel keeps no state for non-NATted
> connections (ie, connections for which it's acting as an ordinary IP
> router), I doubt you'll find any way to impose the limit you want for
> those.

pf can limit teh number of states per rule. this can be used for this.
note that when a rule reached its maximum states, it simply will not 
match any more, i. e. the rule set is examined further.

-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...