From owner-freebsd-pf@FreeBSD.ORG Fri May 18 21:37:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4217C16A40B for ; Fri, 18 May 2007 21:37:12 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id F134C13C458 for ; Fri, 18 May 2007 21:37:11 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so259026and for ; Fri, 18 May 2007 14:37:11 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QBuuzKPq7NXZUCJf0VodblyF/4wrS4IuYouzG+uwKdHqN9mEXg6/7krAHXdZY2RfYfnvxAnEx42OZwhQAYlBAwiQdi4T3ulgt1x1p8tDYCsxG/g8JmfTokr05IxJV/2iL5mhsJ895+ItFmUjoj9v4Gj3TbveEZhAb7k12n7CnEY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rSsVqZDeIZUf3lKm/5eLdFeQlJZgxvUOz4Uq2nOd7oGb8eSXxx2nMKzxdw+xjkB8CrHb9Qg8qbJA+ACOKnPXHAaU9vlIxHlooG71Mnt77kiyDsj8XDjh665ECPvwEemePckwxcumYygSwmr++oZGgbBAnITcPih3nezD1Rwanyo= Received: by 10.100.190.8 with SMTP id n8mr1415867anf.1179524231273; Fri, 18 May 2007 14:37:11 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 14:37:11 -0700 (PDT) Message-ID: <499c70c0705181437t719f373o2c933bba6349cc53@mail.gmail.com> Date: Sat, 19 May 2007 00:37:11 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 21:37:12 -0000 On 5/19/07, Kian Mohageri wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > On 5/18/07, Kian Mohageri wrote: > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > On 5/18/07, Kian Mohageri wrote: > > > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > > > > > Thank you for the tip. > > > > > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > > > flags S/SA synproxy state > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > > > flags S/SA keep state \ > > > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > > > overload flush global) > > > > > > pass out proto tcp to any keep state > > > > > > > > > > > > Comments? > > > > > > > > > > The first rule won't match anything (same criteria as second rule, and > > > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > > > you have a good reason not to. > > > > > > > > > > Kian > > > > > > > > > > > > > I thought first rule will defeat syn flood. > > > > > > > > Is the second rule going to do the same job as first rule and will > > > > prevent syn flood? > > > > > > The rules are different obviously, but the criteria matches the same > > > traffic. Because PF will apply the last matching rule by default > > > (unless 'quick' is used), your first rule will never be applied. You > > > could use synproxy state on the second rule, and remove the first > > > entirely. > > > > > > > As for the third rule syntax, Should I make it like this? > > > > > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > > > same for udp? > > > > > > > > "pass out proto udp to any flags S/SA keep state" ? > > > > > > If you only want to pass UDP and TCP, then you can do something like this: > > > > > > pass out proto tcp to any flags S/SA keep state > > > pass out proto udp to any keep state > > > > > > Kian > > > > > > > Alright, can you give me synproxy in the first line entry? I tried to > > add it, and I get error. > > No? I'm confused about what you're asking for. Paste what you tried first. > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload flush global) I added synproxy after S/SA to the rule but the rules didn't load and says it's wrong. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/