From owner-freebsd-pf@FreeBSD.ORG Wed May 9 16:38:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 90C0816A404 for ; Wed, 9 May 2007 16:38:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2673D13C458 for ; Wed, 9 May 2007 16:38:41 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d6a.q.ppp-pool.de [89.53.125.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id EDDCE12883F for ; Wed, 9 May 2007 18:38:32 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id C1BE73F9E1; Wed, 9 May 2007 18:38:05 +0200 (CEST) Message-ID: <4641F8EC.4@vwsoft.com> Date: Wed, 09 May 2007 18:38:04 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> <46418C6A.5000607@quip.cz> <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> <4641BC51.7080804@vwsoft.com> <499c70c0705090823n49cc1897u24a8ccbb7e57b429@mail.gmail.com> In-Reply-To: <499c70c0705090823n49cc1897u24a8ccbb7e57b429@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: PF and GeoIP to update country table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 16:38:42 -0000 On 05/09/07 17:23, Abdullah Ibn Hamad Al-Marri wrote: [snip] >> unfortunately I'm unable to imagine if it's nice or really, really bad >> idea to block certain countries. It sounds like a chinese wall. If the >> machine in question is a web server, it might be a hardly bad idea and >> would lead into another dimension of separating the world. >> [snip] > There are Arabs and ppl speak and read Arabic in the other countries > but I have to lose them since the forum is getting 24/7 days hits by > Arabic script kiddies who think they are elite and will flood it with > fake http requests which kills the MySQL server right away. > > The problem is they have tons of bots run in m$ systems, and I have > only 2 choices. > Shut down the forum, or block other countries IPs, if you were in my > place what would you do? Abdullah, how do these attacks look like? Is it script driven MASS-posting? How frequent? You may probably use pf's ability to set per IP triggers (ie if a single IP address is opening too much tcp connections in a time frame, you may block that). If these scripts are running not too often against your web server, this is not of use for you. As I understand, these script kiddies are trying to automagically post into your forum. What about requiring graphical confirmation before the post is accepted? That way, you're letting legitimate users in from around the world but keep robots out. If you're using something like phpBB, there are (anti spam) modules for graphical confirmation. Again, the best solution (balanced between your concerns and legitimate use for all people) depends on how these attacks against your forum does look like. If there are frequent accesses from the same set of IP addresses, you may use pf. Otherwise this should be blocked by your forum software. Arabic people are really around the world. If you want to try pf's trigger functionality (see "stateful tracking options" in pf.conf(5) ), keep in mind that every http request (html pages, graphics etc.) may lead into may single tcp connections. This means, don't set the limits too short before blocking an IP address. HTH Volker