Date: Fri, 29 Dec 2006 14:38:52 +0100 From: Max Laier <max@love2party.net> To: "Abdullah Al-Marrie" <almarrie@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: rate limit with pf instead of IPFW Message-ID: <200612291438.58733.max@love2party.net> In-Reply-To: <499c70c0612290305w11eee312ma02e482b69e77f01@mail.gmail.com> References: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> <200611232013.41558.max@love2party.net> <499c70c0612290305w11eee312ma02e482b69e77f01@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Friday 29 December 2006 12:05, Abdullah Al-Marrie wrote:
> On 11/23/06, Max Laier <max@love2party.net> wrote:
> > > On 11/23/06, Jon Simola <jsimola@gmail.com> wrote:
> > > > > Greetings BPF gurus!
> > > >
> > > > PF? bpf is different and has little to do with firewalling.
> > > >
> > > > > Could someone please give me full example to setup
> > > > > limit {src-addr | src-port | dst-addr | dst-port} to do what
> > > > > IPFW 01000 allow tcp from any to me setup limit src-addr 5
> > > > > currently does
> > > >
> > > > I use something like this:
> > > >
> > > > pass in on $ext_if proto tcp from any to $ext_if port smtp flags
> > > > S/SA keep state (source-track rule, mac-src-states 5)
> > > >
> > > > --
> > >
> > > Greetings Jon,
> > >
> > > Could you please post your pf.conf with the rules so I can use it
> > > as a guide?
> >
> > If you are looking for a guide - I suggest reading the pf-faq on the
> > OpenBSD site or Peter's great tutorial, available from:
> > http://home.nuug.no/~peter/pf/ The topic in question, is discussed
> > here: http://home.nuug.no/~peter/pf/en/bruteforce.html
> >
> > --
> > /"\ Best regards, | mlaier@freebsd.org
> > \ / Max Laier | ICQ #67774661
> > X http://pf4freebsd.love2party.net/ | mlaier@EFnet
> > / \ ASCII Ribbon Campaign | Against HTML Mail and News
>
> Thank you Max, and Jon for your kind prompts to help me to sort this
> problem.
>
> PF is very powerful, again thanks for porting it to FreeBSD. :)
>
> I checked http://home.nuug.no/~peter/pf/en/bruteforce.html
>
> I still didn't find something in the faq covers table <bruteforce>
> persist , do I need to create a file like /etc/bruteforce or no need
> for that and will be stored in kernel until they expire or I reboot the
> box?
You can *load* a table from a file pf.conf(5) has the syntax to do so.
Afterwards the table exists in kernel memory and all updates only happen
there (and are not written back to the file). There are tools that help
with that, however.
> Here is my pf.conf
...
> # Tables: similar to macros, but more flexible for many addresses.
> table <foo> persist
...
> # End
>
> Am I missing something?
You probably want a "block ... from <foo>" rule somewhere in order for the
thing to take effect.
> as su I type pfctl -t foo -Tl -f /etc/pf.conf but it returns nothing.
>
> I want to see the current IPs being blocked since I used overload <foo>
Read the pfctl(8) manpage. You are reloading the table from the pf.conf
file - which causes it to be empty. In order to show the contents, you
need something like:
pfctl -t foo -Tshow # a couple of "-v" gives nice statistics as well
--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQBFlRpyXyyEoT62BG0RAgjqAJ0X7IQ0usfmxNXTtXyu2uvzEvYMXgCfXESN
+vw9QOod6dIMYQyaqxIv6z0=
=XYFI
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612291438.58733.max>