From owner-freebsd-pf@FreeBSD.ORG Fri May 18 19:02:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C5A5516A400 for ; Fri, 18 May 2007 19:02:27 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 38A0D13C44C for ; Fri, 18 May 2007 19:02:26 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so484017ugh for ; Fri, 18 May 2007 12:02:26 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EhzxYPsnDyAnsjJBAr5kZzD9sQD1yCtlFeUuAETVrWPJLT3MduO4RNItDsFT9ZjSmcD1yP//UGsanlMkYb4bYvopNKjrYbc9U01FF5LoLUXQU7OIR7WaS8nxoRECeMnRxM0B1ArxHy6JYtwnuy6+7lxdW7nZYMm9unX8QePHTRM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WJL8zSID3mN7DDQResIvDg2Vhr4E5og+wjzkRyOnogIM9gOwZfzFeXPC/M4kQdEkG+ld0vP5a6CvbJC3QggGlgakqys7AxnTGZWjyJXxWzofary2RHmFTD33mIW/E8XZoN2Gc266oSIPq0PlQwyuZcpa5dpqC0adfXfv4zIwZxM= Received: by 10.82.173.19 with SMTP id v19mr3412251bue.1179514945903; Fri, 18 May 2007 12:02:25 -0700 (PDT) Received: by 10.82.175.9 with HTTP; Fri, 18 May 2007 12:02:25 -0700 (PDT) Message-ID: Date: Fri, 18 May 2007 12:02:25 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 19:02:27 -0000 On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > On 5/18/07, Kian Mohageri wrote: > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > Thank you for the tip. > > > > > > Here what I'm using which fixed the issue. > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > flags S/SA synproxy state > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > flags S/SA keep state \ > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > overload flush global) > > > pass out proto tcp to any keep state > > > > > > Comments? > > > > The first rule won't match anything (same criteria as second rule, and > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > you have a good reason not to. > > > > Kian > > > > I thought first rule will defeat syn flood. > > Is the second rule going to do the same job as first rule and will > prevent syn flood? The rules are different obviously, but the criteria matches the same traffic. Because PF will apply the last matching rule by default (unless 'quick' is used), your first rule will never be applied. You could use synproxy state on the second rule, and remove the first entirely. > As for the third rule syntax, Should I make it like this? > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > same for udp? > > "pass out proto udp to any flags S/SA keep state" ? If you only want to pass UDP and TCP, then you can do something like this: pass out proto tcp to any flags S/SA keep state pass out proto udp to any keep state Kian