Date: Fri, 29 Dec 2006 14:38:52 +0100 From: Max Laier <max@love2party.net> To: "Abdullah Al-Marrie" <almarrie@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: rate limit with pf instead of IPFW Message-ID: <200612291438.58733.max@love2party.net> In-Reply-To: <499c70c0612290305w11eee312ma02e482b69e77f01@mail.gmail.com> References: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> <200611232013.41558.max@love2party.net> <499c70c0612290305w11eee312ma02e482b69e77f01@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart10064744.S49oolbEj4
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Friday 29 December 2006 12:05, Abdullah Al-Marrie wrote:
> On 11/23/06, Max Laier <max@love2party.net> wrote:
> > > On 11/23/06, Jon Simola <jsimola@gmail.com> wrote:
> > > > > Greetings BPF gurus!
> > > >
> > > > PF? bpf is different and has little to do with firewalling.
> > > >
> > > > > Could someone please give me full example to setup
> > > > > limit {src-addr | src-port | dst-addr | dst-port} to do what
> > > > > IPFW 01000 allow tcp from any to me setup limit src-addr 5
> > > > > currently does
> > > >
> > > > I use something like this:
> > > >
> > > > pass in on $ext_if proto tcp from any to $ext_if port smtp flags
> > > > S/SA keep state (source-track rule, mac-src-states 5)
> > > >
> > > > --
> > >
> > > Greetings Jon,
> > >
> > > Could you please post your pf.conf with the rules so I can use it
> > > as a guide?
> >
> > If you are looking for a guide - I suggest reading the pf-faq on the
> > OpenBSD site or Peter's great tutorial, available from:
> > http://home.nuug.no/~peter/pf/ The topic in question, is discussed
> > here: http://home.nuug.no/~peter/pf/en/bruteforce.html
> >
> > --
> > /"\ Best regards, | mlaier@freebsd.org
> > \ / Max Laier | ICQ #67774661
> > X http://pf4freebsd.love2party.net/ | mlaier@EFnet
> > / \ ASCII Ribbon Campaign | Against HTML Mail and News
>
> Thank you Max, and Jon for your kind prompts to help me to sort this
> problem.
>
> PF is very powerful, again thanks for porting it to FreeBSD. :)
>
> I checked http://home.nuug.no/~peter/pf/en/bruteforce.html
>
> I still didn't find something in the faq covers table <bruteforce>
> persist , do I need to create a file like /etc/bruteforce or no need
> for that and will be stored in kernel until they expire or I reboot the
> box?
You can *load* a table from a file pf.conf(5) has the syntax to do so. =20
Afterwards the table exists in kernel memory and all updates only happen=20
there (and are not written back to the file). There are tools that help=20
with that, however.
> Here is my pf.conf
=2E..
> # Tables: similar to macros, but more flexible for many addresses.
> table <foo> persist
=2E..
> # End
>
> Am I missing something?
You probably want a "block ... from <foo>" rule somewhere in order for the=
=20
thing to take effect.
> as su I type pfctl -t foo -Tl -f /etc/pf.conf but it returns nothing.
>
> I want to see the current IPs being blocked since I used overload <foo>
Read the pfctl(8) manpage. You are reloading the table from the pf.conf=20
file - which causes it to be empty. In order to show the contents, you=20
need something like:
pfctl -t foo -Tshow # a couple of "-v" gives nice statistics as well
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart10064744.S49oolbEj4
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQBFlRpyXyyEoT62BG0RAgjqAJ0X7IQ0usfmxNXTtXyu2uvzEvYMXgCfXESN
+vw9QOod6dIMYQyaqxIv6z0=
=XYFI
-----END PGP SIGNATURE-----
--nextPart10064744.S49oolbEj4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612291438.58733.max>