From owner-freebsd-pf@FreeBSD.ORG Fri May 18 17:36:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 54B1816A400 for ; Fri, 18 May 2007 17:36:04 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp3.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 37A5613C45D for ; Fri, 18 May 2007 17:36:04 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 7496 invoked from network); 18 May 2007 10:36:03 -0700 Received: by simscan 1.1.0 ppid: 7458, pid: 7459, t: 4.2418s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:43/d:3122 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp3 with SMTP; 18 May 2007 10:35:59 -0700 Received: from [192.168.1.3] (bigdaddy.mykitchentable.net [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with ESMTP id 247B9164AE1; Fri, 18 May 2007 10:35:58 -0700 (PDT) Message-ID: <464DE3FD.1090808@mykitchentable.net> Date: Fri, 18 May 2007 10:35:57 -0700 From: Drew Tomlinson User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> In-Reply-To: <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp3.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 17:36:04 -0000 On 5/18/2007 9:54 AM Abdullah Ibn Hamad Al-Marri said the following: > On 5/18/07, Kian Mohageri wrote: > >> On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: >> > Thank you for the tip. >> > >> > Here what I'm using which fixed the issue. >> > >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services >> > flags S/SA synproxy state >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ >> > flags S/SA keep state \ >> > (max-src-conn 30, max-src-conn-rate 30/3, \ >> > overload flush global) >> > pass out proto tcp to any keep state >> > >> > Comments? >> >> The first rule won't match anything (same criteria as second rule, and >> last match wins with pf). On the third rule, use 'flags S/SA' unless >> you have a good reason not to. >> >> Kian >> > > I thought first rule will defeat syn flood. > > Is the second rule going to do the same job as first rule and will > prevent syn flood? > > As for the third rule syntax, Should I make it like this? > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > same for udp? > > "pass out proto udp to any flags S/SA keep state" ? AFAIK, no reason to set flags on udp traffic. Only tcp traffic has flags. Cheers, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com