From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 12:45:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6742716A421 for ; Thu, 28 Jun 2007 12:45:22 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.freebsd.org (Postfix) with ESMTP id 1C2A913C484 for ; Thu, 28 Jun 2007 12:45:21 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id 298CDEB317F; Thu, 28 Jun 2007 20:45:21 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id TU0WklKkmEJd; Thu, 28 Jun 2007 20:45:09 +0800 (CST) Received: from charlie.delphij.net (unknown [221.219.156.142]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 379EBEB3348; Thu, 28 Jun 2007 20:45:09 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:user-agent:mime-version:to:cc:subject: references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=DiizMruEDnIjGYEGCiQ2QIcnrGaHDCLaJ7HkUHn4j9DU94jgIqT7TdiQDaftadxz+ y5O+OdG26j/NDMo4M4UvQ== Message-ID: <4683AD50.4020707@delphij.net> Date: Thu, 28 Jun 2007 20:45:04 +0800 From: Xin LI User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> <468393F9.2030805@delphij.net> <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com> In-Reply-To: <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com> X-Enigmail-Version: 0.95.1 OpenPGP: url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: FreeBSD PF Pro List Subject: Re: Flush ICMP and UDP flooders X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 12:45:22 -0000 Abdullah Ibn Hamad Al-Marri wrote: [...] >> I think ICMP and UDP can have their originating address forged, so this >> will effectively construct a true remote triggerable DoS... > > Thank you Li, > > I set antispoof in my pf.conf for the nic, would these rule help or > not? do you have suggestions about the values? I run bind on the > servers. No. antispoof is for other use, to put it simply, let's say that it's something like "Don't bother to handle a packet which should not come from the specified interface". An example of use might be, say, you have two NICs: em0 and em1. em0 is connected to the Internet, and em1 is connected to a private subnet 192.168.0.0/24. The two network are not inter-connected. antispoof on em1 means that if em0 receives a packet which claims to be from 192.168.0.0/24, then drop it. ICMP and UDP protocols are, however, not designed for you to be able to distinguish whether source address is forged. Thus, using state table can be a true DoS sometimes, attacker can just exhaust the table resource and render your network non-responsive. So be careful... Cheers,