From owner-freebsd-pf@FreeBSD.ORG Fri May 18 20:53:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BA27816A400 for ; Fri, 18 May 2007 20:53:49 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id 7661713C458 for ; Fri, 18 May 2007 20:53:49 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so256385and for ; Fri, 18 May 2007 13:53:49 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SuJDaOIt/8AlBSDC9dUTr2SiaLzxIoivWx8hF29cxE4fvI2WNXpc/CAN8pIsy3CGVWfTQyn8vE+v3PbocnL2mENajZfhjYa/mRYnv1X6YlezsU39Iz+cG/xirPDk6uXafiz5TrdoCFEMXDNzAVt/sFNO3ISoo053mqMNqr0x0cQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=s2zYgHdUounong9zjqS1OIGYYbSNo4EJG2SzN5AzgbmwL3siUEo07tYLjxR595YosMl+wzbZCFbaqWpyrJeM/2+mBLc0w/vM4Ov4GjlfnwrppgmrZhLLNtWIu0dvlennLrCQ2R0gk9CWFSkjMoY4qdzNQp95Yre8nKOihzP7k2A= Received: by 10.100.78.19 with SMTP id a19mr1383086anb.1179521628841; Fri, 18 May 2007 13:53:48 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 13:53:48 -0700 (PDT) Message-ID: <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> Date: Fri, 18 May 2007 23:53:48 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 20:53:49 -0000 On 5/18/07, Kian Mohageri wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > On 5/18/07, Kian Mohageri wrote: > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > Thank you for the tip. > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > flags S/SA synproxy state > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > flags S/SA keep state \ > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > overload flush global) > > > > pass out proto tcp to any keep state > > > > > > > > Comments? > > > > > > The first rule won't match anything (same criteria as second rule, and > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > you have a good reason not to. > > > > > > Kian > > > > > > > I thought first rule will defeat syn flood. > > > > Is the second rule going to do the same job as first rule and will > > prevent syn flood? > > The rules are different obviously, but the criteria matches the same > traffic. Because PF will apply the last matching rule by default > (unless 'quick' is used), your first rule will never be applied. You > could use synproxy state on the second rule, and remove the first > entirely. > > > As for the third rule syntax, Should I make it like this? > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > same for udp? > > > > "pass out proto udp to any flags S/SA keep state" ? > > If you only want to pass UDP and TCP, then you can do something like this: > > pass out proto tcp to any flags S/SA keep state > pass out proto udp to any keep state > > Kian > Alright, can you give me synproxy in the first line entry? I tried to add it, and I get error. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/