From owner-freebsd-pf@FreeBSD.ORG Fri May 18 16:05:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C96DF16A405 for ; Fri, 18 May 2007 16:05:43 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.177]) by mx1.freebsd.org (Postfix) with ESMTP id 622A613C465 for ; Fri, 18 May 2007 16:05:43 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by ik-out-1112.google.com with SMTP id c29so584146ika for ; Fri, 18 May 2007 09:05:42 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gLb6CRRzn8kl2QNeJdwLvrUMVPqaU40RdBHnU+aZ+Y1yofOQIsCK644C9GtA1a4+nAc+D2rZxvPP+VJ7Px0d5nFIZeFiTOfxMKyZxu38tMOHGOZHKSWQwMrdR3A8q2F+ozp3Dehe7JTl5xrfVShK9LctuvzslP4gOc3VwXBuDeY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rC4DpS7CjY3cfCvkuOkQ7YZSrSOufm4lAfXDMxwoVqfbV0rTtvX/koszptK+b5oUWKDCCBPRcJwZj+6g1R/qa7Qs4AoIj+RLpqna1oCNQy6MwgNRAHNSLLoeOOVVTsP8BwN3FQHXQQGMahodPosQNiczfqkMiHvmmpJW5hCXY+I= Received: by 10.82.187.16 with SMTP id k16mr3156759buf.1179504341789; Fri, 18 May 2007 09:05:41 -0700 (PDT) Received: by 10.82.175.9 with HTTP; Fri, 18 May 2007 09:05:41 -0700 (PDT) Message-ID: Date: Fri, 18 May 2007 09:05:41 -0700 From: "Kian Mohageri" To: "Abdullah Ibn Hamad Al-Marri" In-Reply-To: <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 16:05:43 -0000 On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > Thank you for the tip. > > Here what I'm using which fixed the issue. > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > flags S/SA synproxy state > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > flags S/SA keep state \ > (max-src-conn 30, max-src-conn-rate 30/3, \ > overload flush global) > pass out proto tcp to any keep state > > Comments? The first rule won't match anything (same criteria as second rule, and last match wins with pf). On the third rule, use 'flags S/SA' unless you have a good reason not to. Kian