Date: Fri, 18 May 2007 20:42:20 +0300 From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com> To: "Drew Tomlinson" <drew@mykitchentable.net> Cc: Volker <volker@vwsoft.com>, freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. Message-ID: <499c70c0705181042p71287bebm42115abbe313b2b@mail.gmail.com> In-Reply-To: <464DE3FD.1090808@mykitchentable.net> References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <fee88ee40705180905q1017378ak588a2919dbec328b@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> <464DE3FD.1090808@mykitchentable.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/18/07, Drew Tomlinson <drew@mykitchentable.net> wrote: > On 5/18/2007 9:54 AM Abdullah Ibn Hamad Al-Marri said the following: > > > On 5/18/07, Kian Mohageri <kian.mohageri@gmail.com> wrote: > > > >> On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> wrote: > >> > Thank you for the tip. > >> > > >> > Here what I'm using which fixed the issue. > >> > > >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > >> > flags S/SA synproxy state > >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > >> > flags S/SA keep state \ > >> > (max-src-conn 30, max-src-conn-rate 30/3, \ > >> > overload <bruteforce> flush global) > >> > pass out proto tcp to any keep state > >> > > >> > Comments? > >> > >> The first rule won't match anything (same criteria as second rule, and > >> last match wins with pf). On the third rule, use 'flags S/SA' unless > >> you have a good reason not to. > >> > >> Kian > >> > > > > I thought first rule will defeat syn flood. > > > > Is the second rule going to do the same job as first rule and will > > prevent syn flood? > > > > As for the third rule syntax, Should I make it like this? > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > same for udp? > > > > "pass out proto udp to any flags S/SA keep state" ? > > > AFAIK, no reason to set flags on udp traffic. Only tcp traffic has flags. > > Cheers, > > Drew > > -- > Be a Great Magician! > Visit The Alchemist's Warehouse > > http://www.alchemistswarehouse.com Ok, how about it now? ext_if="fxp0" int_if="lo0" tcp_services = "{ domain, www, 123, 5999, 7325, 7771, 59999 }" udp_services = "{ domain, 123, 514 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 240.0.0.0/4 }" icmp_types = "8" table <bruteforce> persist set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface $ext_if set skip on $int_if set optimization normal set block-policy drop set require-order yes set debug loud #set fingerprints "/etc/pf.os" scrub in all #scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400 #scrub in on $ext_if all no-df #scrub on $ext_if all reassemble tcp antispoof for $ext_if inet antispoof for $int_if block in log on $ext_if all block in quick on $ext_if from any to 255.255.255.255 block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block quick log from <bruteforce> # Pass ICMP Type 8 (echo-reply) only with state pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state pass proto udp to any port $udp_services keep state # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass out on $ext_if inet proto udp from any to any \ port 33433 >< 33626 keep state pass out on $ext_if inet proto udp from any to any \ port 33433 >< 33626 keep state pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload <bruteforce> flush global) pass out proto tcp to any flags S/SA keep state pass out proto udp to any keep state # End Is it okay now, or I shall do more tweaks? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499c70c0705181042p71287bebm42115abbe313b2b>