Date: Fri, 29 Dec 2006 14:05:36 +0300 From: "Abdullah Al-Marrie" <almarrie@gmail.com> To: "Max Laier" <max@love2party.net>, "Jon Simola" <jsimola@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: rate limit with pf instead of IPFW Message-ID: <499c70c0612290305w11eee312ma02e482b69e77f01@mail.gmail.com> In-Reply-To: <200611232013.41558.max@love2party.net> References: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> <8eea04080611231059x6e229d09lfd3f25965511d7ee@mail.gmail.com> <499c70c0611231101k68429053l40ec68712ca66263@mail.gmail.com> <200611232013.41558.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/23/06, Max Laier <max@love2party.net> wrote:
> > On 11/23/06, Jon Simola <jsimola@gmail.com> wrote:
> > > > Greetings BPF gurus!
> > >
> > > PF? bpf is different and has little to do with firewalling.
> > >
> > > > Could someone please give me full example to setup
> > > > limit {src-addr | src-port | dst-addr | dst-port} to do what IPFW
> > > > 01000 allow tcp from any to me setup limit src-addr 5 currently
> > > > does
> > >
> > > I use something like this:
> > >
> > > pass in on $ext_if proto tcp from any to $ext_if port smtp flags S/SA
> > > keep state (source-track rule, mac-src-states 5)
> > >
> > > --
> >
> > Greetings Jon,
> >
> > Could you please post your pf.conf with the rules so I can use it as a
> > guide?
>
> If you are looking for a guide - I suggest reading the pf-faq on the
> OpenBSD site or Peter's great tutorial, available from:
> http://home.nuug.no/~peter/pf/ The topic in question, is discussed here:
> http://home.nuug.no/~peter/pf/en/bruteforce.html
>
> --
> /"\ Best regards, | mlaier@freebsd.org
> \ / Max Laier | ICQ #67774661
> X http://pf4freebsd.love2party.net/ | mlaier@EFnet
> / \ ASCII Ribbon Campaign | Against HTML Mail and News
Thank you Max, and Jon for your kind prompts to help me to sort this problem.
PF is very powerful, again thanks for porting it to FreeBSD. :)
I checked http://home.nuug.no/~peter/pf/en/bruteforce.html
I still didn't find something in the faq covers table <bruteforce> persist , do I need to create a file like /etc/bruteforce or no need for that and will be stored in kernel until they expire or I reboot the box?
Here is my pf.conf
# Macros: define common values, so they can be referenced and changed easily.
ext_if="fxp0" # replace with actual external interface name i.e., dc0
int_if="fxp0" # replace with actual internal interface name i.e., dc1
tcp_services="{ 22, 25, 26, 53, 80, 110, 143, 443, 465, 783, 953, 993, 995, 3306, 59999 }"
udp_services="{ 53, 514 }"
icmp_types="8"
# Tables: similar to macros, but more flexible for many addresses.
table <foo> persist
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
#scrub in all
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub in on $ext_if all no-df
scrub on $ext_if all reassemble tcp
# Filtering: the implicit first two rules are
pass in all
pass out all
# Pass all 'quick' on localhost loopback device
pass quick on lo0 all
## Default DENY & Log filter rules
block in log all
block out log all
# Drop our 'foo' 'quick' with no reply or logging.
block in quick on $ext_if from <foo> to any
# Drop our rfc1918 ranges
#block in quick on $ext_if from <rfc1918> to any
# Pass in rules for Various services defined above. Using 'synproxy-state' for
# basic dDoS mitigation on TCP services.
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services flags S/SA synproxy state
pass inet proto tcp from any to any port 80 \
flags S/SA keep state \
(max-src-conn-rate 4/50, \
overload <foo> flush global)
# Pass UDP keeping state
pass in on $ext_if proto udp from any to $ext_if port $udp_services keep state
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state
# Pass FTP
pass in quick on $ext_if proto tcp from any to any port 21 flags S/SA keep state
pass in quick on $ext_if proto tcp from any to any port > 49151 keep state
# Pass out rule allowing all with modulate state
pass out on $ext_if proto tcp all modulate state flags S/SA
# Pass out rules for UDP, ICMP
pass out on $ext_if proto { udp, icmp } all keep state
# End
Am I missing something?
as su I type pfctl -t foo -Tl -f /etc/pf.conf but it returns nothing.
I want to see the current IPs being blocked since I used overload <foo>
--
Regards,
-Abdullah
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499c70c0612290305w11eee312ma02e482b69e77f01>