From owner-freebsd-pf@FreeBSD.ORG Fri May 18 21:17:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DB57F16A413 for ; Fri, 18 May 2007 21:17:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.188]) by mx1.freebsd.org (Postfix) with ESMTP id 631D713C487 for ; Fri, 18 May 2007 21:17:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by mu-out-0910.google.com with SMTP id w8so616831mue for ; Fri, 18 May 2007 14:17:13 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=s2fcbn3B3DUgvS28ixywlbdifSk9MZLWgSjklGt6kZhgX9V4phxfvGSU601AcT1p9/GTqLnFxdlrhHyhpQqwpwGRfXvAABPAhMkKJeALVpkmfomupH8aA911uQyHTRfXIR7ICN26nnJmzgy4fTxB7UA6y2wWsxP8FRdA/vcmUqc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BPPwAeEqANPFuzoVrZ7DADGc2lsPZqEaoyWNRMCXbngFvmFwojNfYW8FT+D1mOXahGXkmcrYjOkTbzjDZWG/7Oz9FMTCIyAM/W8en775v5x5DXqsUuApVpewXecOuID8r+/2DEB48Nto4x7m4lOnhEw2QegfnjQaQTiKXZwN5xk= Received: by 10.82.146.14 with SMTP id t14mr3653284bud.1179523032821; Fri, 18 May 2007 14:17:12 -0700 (PDT) Received: by 10.82.150.17 with HTTP; Fri, 18 May 2007 14:17:12 -0700 (PDT) Message-ID: Date: Fri, 18 May 2007 14:17:12 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 21:17:14 -0000 On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > On 5/18/07, Kian Mohageri wrote: > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > On 5/18/07, Kian Mohageri wrote: > > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > > Thank you for the tip. > > > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > > flags S/SA synproxy state > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > > flags S/SA keep state \ > > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > > overload flush global) > > > > > pass out proto tcp to any keep state > > > > > > > > > > Comments? > > > > > > > > The first rule won't match anything (same criteria as second rule, and > > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > > you have a good reason not to. > > > > > > > > Kian > > > > > > > > > > I thought first rule will defeat syn flood. > > > > > > Is the second rule going to do the same job as first rule and will > > > prevent syn flood? > > > > The rules are different obviously, but the criteria matches the same > > traffic. Because PF will apply the last matching rule by default > > (unless 'quick' is used), your first rule will never be applied. You > > could use synproxy state on the second rule, and remove the first > > entirely. > > > > > As for the third rule syntax, Should I make it like this? > > > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > > same for udp? > > > > > > "pass out proto udp to any flags S/SA keep state" ? > > > > If you only want to pass UDP and TCP, then you can do something like this: > > > > pass out proto tcp to any flags S/SA keep state > > pass out proto udp to any keep state > > > > Kian > > > > Alright, can you give me synproxy in the first line entry? I tried to > add it, and I get error. No? I'm confused about what you're asking for. Paste what you tried first.