From owner-freebsd-pf@FreeBSD.ORG Sat Dec 30 18:23:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 410D816A403 for ; Sat, 30 Dec 2006 18:23:25 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id BC01C13C458 for ; Sat, 30 Dec 2006 18:23:24 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so4045458uge for ; Sat, 30 Dec 2006 10:23:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=K//cqP1xC0oaAZu1/piqHfTAAKKPKERytRL92lX0hL+B7lQgeoCOW3kCxFb6Ly9Se8BtQiOBDNFdZfmGKQNmGQE+OW9RDOOhG9/JWUNeJ834jowESfrzZGFlLDBp7KqNUvT6bRVKym+WBfw4VYmOww8VtXWjVDuAahDZacEuGtU= Received: by 10.66.244.10 with SMTP id r10mr24115610ugh.1167503003282; Sat, 30 Dec 2006 10:23:23 -0800 (PST) Received: by 10.67.27.15 with HTTP; Sat, 30 Dec 2006 10:23:22 -0800 (PST) Message-ID: <499c70c0612301023k25a801d4h8ef13ff1bebd5dbe@mail.gmail.com> Date: Sat, 30 Dec 2006 21:23:22 +0300 From: "Abdullah Al-Marrie" To: "Peter N. M. Hansteen" In-Reply-To: <87vejtuytk.fsf@thingy.datadok.no> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0612290305w11eee312ma02e482b69e77f01@mail.gmail.com> <87vejtuytk.fsf@thingy.datadok.no> Cc: freebsd-pf@freebsd.org Subject: Re: rate limit with pf instead of IPFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Dec 2006 18:23:25 -0000 On 12/30/06, Peter N. M. Hansteen wrote: > "Abdullah Al-Marrie" writes: > > > I checked http://home.nuug.no/~peter/pf/en/bruteforce.html > > > > I still didn't find something in the faq covers table > > persist , do I need to create a file like /etc/bruteforce or no need > > for that and will be stored in kernel until they expire or I reboot > > the box? > > You can load data into a table from a file (or for that matter dump > table contents to a file) if you like. If it's important to keep the > table contents across reboots, you probably want to do something like > > $ sudo pfctl -t foo -T show >/etc/tables/foo > > or perhaps at regular intervals from cron, and declare your table > something like > > table persist file /etc/tables/foo > > > as su I type pfctl -t foo -Tl -f /etc/pf.conf but it returns nothing. > > If you want to show table contents, a > > $ sudo pfctl -t foo -T show > > should be sufficient. > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" > 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Ok, I think it works now, but I'm sure I missed something, since it doesn't block the flooder. # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400 scrub in on $ext_if all no-df scrub on $ext_if all reassemble tcp # Filtering: the implicit first two rules are pass in all pass out all # Pass all 'quick' on localhost loopback device pass quick on lo0 all ## Default DENY & Log filter rules block in log all block out log all # Drop our 'badguys' 'quick' with no reply or logging. block in quick on $ext_if from to any # Pass in rules for Various services defined above. Using 'synproxy-state' for # basic dDoS mitigation on TCP services. pass in on $ext_if proto tcp from any to $ext_if port $tcp_services flags S/SA synproxy state pass quick proto tcp from any to port 80 \ flags S/SA keep state \ (max-src-conn-rate 3/3, \ overload flush global) # Pass UDP keeping state pass in on $ext_if proto udp from any to $ext_if port $udp_services keep state # Pass ICMP Type 8 (echo-reply) only with state pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state # Pass FTP pass in quick on $ext_if proto tcp from any to any port 21 flags S/SA keep state pass in quick on $ext_if proto tcp from any to any port > 49151 keep state # Pass out rule allowing all with modulate state pass out on $ext_if proto tcp all modulate state flags S/SA # Pass out rules for UDP, ICMP pass out on $ext_if proto { udp, icmp } all keep state # End ---- Here is the pfctl -s a output: self tcp 66.90.105.115:80 <- 86.142.37.237:1086 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 211.213.208.237:3698 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 88.72.57.238:1345 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 88.72.57.238:1150 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 82.253.27.239:3079 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 85.24.126.240:1063 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 200.227.72.245:40219 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 84.61.12.247:1537 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 62.21.114.254:27475 TIME_WAIT:TIME_WAIT self tcp 66.90.105.115:80 <- 62.21.114.254:27476 TIME_WAIT:TIME_WAIT SOURCE TRACKING NODES: 83.26.19.2 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 84.57.19.6 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.100.235.6 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 125.191.104.7 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 212.51.52.8 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 213.63.67.8 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 81.245.169.9 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 89.129.142.13 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 89.252.21.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.226.46.14 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 89.19.164.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 86.107.53.15 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.69.215.16 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 82.197.246.17 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 86.214.188.19 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 88.118.233.20 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 212.116.219.21 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.31.175.22 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 83.209.10.24 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 87.20.97.26 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 200.92.206.26 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 84.183.16.29 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 193.189.116.29 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 84.248.32.32 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 87.217.145.32 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 87.110.165.33 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 80.228.202.36 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 89.252.13.37 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.168.152.39 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 58.141.35.42 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 81.64.49.42 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 82.155.36.47 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 68.116.187.47 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 83.26.240.49 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 89.38.29.52 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 86.1.54.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 62.241.71.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 195.96.124.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 87.160.206.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 81.45.251.54 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 88.118.183.55 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 80.228.183.56 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 84.77.56.57 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 195.161.7.61 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.22.187.61 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 218.172.158.64 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 83.6.223.74 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.24.124.75 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 213.246.243.78 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 84.175.28.79 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 200.162.227.80 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 89.104.6.81 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.186.130.81 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 62.205.75.83 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.25.232.84 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 84.59.45.85 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 80.109.76.87 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 211.124.236.87 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 195.229.242.90 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 80.102.187.92 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 213.145.113.93 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 217.23.253.94 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 84.139.217.97 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 82.83.17.100 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s ) 88.72.50.102 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 84.114.143.102 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.108.202.103 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 84.193.175.104 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 89.29.13.106 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.24.122.106 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 24.144.23.109 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 62.178.102.109 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 86.55.14.110 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.128.33.112 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 86.138.228.113 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 70.83.87.118 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 62.117.2.119 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 219.248.23.125 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 87.103.90.126 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 81.193.178.127 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 201.250.230.128 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 86.128.204.129 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 85.186.140.132 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 166.87.255.132 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 219.241.253.133 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.181.87.134 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 81.185.151.135 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 86.106.122.137 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 86.55.94.139 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 81.68.72.143 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 80.142.233.144 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.25.212.147 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 81.182.101.149 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 86.106.250.150 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.179.198.151 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 82.247.63.152 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 84.73.75.152 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 210.64.230.153 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 87.166.211.155 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 24.37.213.158 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 81.182.183.159 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.26.225.161 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.221.70.166 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 86.217.158.166 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.26.241.166 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 81.53.206.168 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 85.168.112.172 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 88.154.113.173 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s ) 85.61.10.174 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 62.234.60.176 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 80.217.177.176 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 195.3.113.178 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 81.56.180.178 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 84.147.210.179 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 62.39.229.180 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 212.183.222.181 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 88.77.15.182 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 82.142.157.182 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 83.61.148.184 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 84.190.253.184 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 82.217.97.185 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 84.165.218.185 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 88.64.8.187 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 195.20.106.191 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 88.107.186.195 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 83.13.15.202 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 194.78.199.202 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 86.105.44.210 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 60.237.217.211 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 88.65.173.222 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 84.61.224.224 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 81.152.208.225 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 62.45.15.226 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 89.132.25.228 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 80.224.245.229 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 88.73.137.230 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 81.131.52.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 217.151.136.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 62.178.227.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 86.142.37.237 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 211.213.208.237 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 88.72.57.238 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s ) 82.253.27.239 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 85.24.126.240 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 84.61.40.244 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 200.227.72.245 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 201.21.132.246 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 217.23.182.246 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 84.61.12.247 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s ) 87.19.245.252 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 81.40.16.254 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s ) 62.21.114.254 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s ) INFO: Status: Enabled for 0 days 00:02:57 Debug: Urgent Hostid: 0x4a67045a State Table Total Rate current entries 112 searches 34551 195.2/s inserts 3658 20.7/s removals 3546 20.0/s Counters match 15284 86.4/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 350 2.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 0 states adaptive.end 0 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 TABLES: foo OS FINGERPRINTS: 293 fingerprints loaded Could you suggest what shall I do with this case? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/