From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 04:54:58 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0CC9106564A for ; Mon, 22 Sep 2008 04:54:58 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.188]) by mx1.freebsd.org (Postfix) with ESMTP id 340B98FC14 for ; Mon, 22 Sep 2008 04:54:57 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: by fk-out-0910.google.com with SMTP id k31so1396984fkk.11 for ; Sun, 21 Sep 2008 21:54:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:mime-version:content-type; bh=LqF/qMFDIigV21JRsqwpIt1/toRbGR+SI4whOEf733w=; b=erB8CgceXJ7J9osIqtTZabScvuQcCVC6xvkWbXUknhZyC7uvr6v9XbmAQHmrELBgtl FUPRxvmjZadNeuK+XHwRS8I+MoGO7PCVvF5SOxpKLER7aSBCt9EXQaN8RbypsLERwpOu sISfGt6jKZls2Rfn3MT6kWnFXdpmnSJba26Xc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type; b=TI///VHpx35JgWCt+rMl5ohcFHXpyYXrTC0wlw47763Q0kutc1N+hCygAtYsgqHn0k ZYB25ezZAC8FyfqAEwXIbSzyu4F+v/y1ObrCnzOm36EJGpTFFXxPZdy6JjTeS+6wYYwi OpBcXO6PAooK2uaSqtpMZRaF5/eK0sDWX8nLw= Received: by 10.103.179.17 with SMTP id g17mr2296303mup.71.1222059296359; Sun, 21 Sep 2008 21:54:56 -0700 (PDT) Received: by 10.103.247.7 with HTTP; Sun, 21 Sep 2008 21:54:56 -0700 (PDT) Message-ID: Date: Mon, 22 Sep 2008 06:54:56 +0200 From: "Redd Vinylene" To: questions@freebsd.org, misc@openbsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: larsnooden@ekiga.net, bsdly@bsdly.net Subject: Re: pf to block against DDoS? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 04:54:59 -0000 > > > > From: Redd Vinylene > > > > To: , > > > > Subject: pf to block against DDoS? > > > > Date: Thursday, September 4, 2008 - 3:23 pm > > > > > > > > Hello hello! > > > > > > > > I was quite shocked today when I heard I could use pf to block against DDoS > > > > attacks, using Stateful Tracking Options, > > > > http://www.openbsd.org/faq/pf/filter.html#stateopts. > > > > > > > > But does anybody have any nice setups of this they'd want to share? > > > > > > > > > > From: Oliver Peter > > > To: Redd Vinylene > > > Cc: , > > > Subject: Re: pf to block against DDoS? > > > Date: Thursday, September 4, 2008 - 4:20 pm > > > > > > ... nice cross-post. > > > > > > I can recommend reading through this as well: > > > http://www.bgnett.no/~peter/pf/en/bruteforce.html > > > > > > -- > > > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > > > "If it feels good, you're doing something wrong." > > > -- Coach McTavish > > > > > > > From: Peter N. M. Hansteen > > To: Oliver Peter > > Cc: Redd Vinylene , , > > Subject: Re: pf to block against DDoS? > > Date: Friday, September 5, 2008 - 1:54 am > > > > Thanks for recommending that! However I would generally recommend the > > maintained version which is up at <http://home.nuug.no/~peter/pf/> ;, > > with the direct link to the part about state tracking and bruteforcers > > at <http://home.nuug.no/~peter/pf/en/bruteforce.html>. > > > > (and of course there's the book, nudge, nudge) > > > > - P > > -- > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > > "Remember to set the evil bit on all malicious network traffic" > > > From: Lars Nood=E9n > To: Oliver Peter > Cc: Redd Vinylene , > Subject: Re: pf to block against DDoS? > Date: Thursday, September 4, 2008 - 4:50 pm > > You can also use two tables so that the first overload gets shunted to a > slow queue and given a second chance before ending up in the second > table which gets blocked. > > -Lars Much obliged to all y'all gentlemen for your valuable design insight. Now, is there anything more I can do to secure my webserver from attacks? O= r perhaps my pf.conf can be simplified / beautified? Peter N. M. Hansteen: Did I follow your tutorial correctly? Lars Nood=E9n: Would you happen to have an example of that? My pf.conf now looks like this: - ext_if =3D "rl0" int_if =3D "ep0" set block-policy return set skip on { lo0 } scrub in table persist nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to any port 30000 -> 192.168.187.2 port 30000 pass out keep state pass quick on $int_if block in block quick from pass in on $ext_if inet proto tcp from any to any port { 20, 21, 25, 53, 113, 30000:35000 } keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) pass in on $ext_if inet proto tcp from any to any port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global= ) pass in on $ext_if inet proto udp from any to any port 53 keep state pass in on $ext_if inet proto icmp from any to any keep state - Have a great week! Cheers! --=20 http://www.home.no/reddvinylene