Date: Thu, 25 Aug 2022 12:06:00 +0200 From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= <clopmz@outlook.com> To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>, freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? Message-ID: <PRAP251MB056770A04DAC86FF32A6265ADB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM> In-Reply-To: <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> References: <PRAP251MB0567D1AA046EAE25E55B64F2DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM> <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> <PRAP251MB056721E70D0440A99E8612FFDB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM> <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25/08/2022 11:46, Marek Zarychta wrote:
> W dniu 25.08.2022 o 11:32, Carlos López Martínez pisze:
>>
>>
>> On 25/08/2022 11:26, Marek Zarychta wrote:
>>> W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze:
>>>> But under Freebsd when I try to combine "pass" with "rdr" rules, it
>>>> doesn't works. For example:
>>>>
>>>> rdr on egress inet proto tcp from !<internal_networks> to egress
>>>> port $tcp_services -> $internal_server
>>>>
>>>> pass in on egress inet proto tcp from !<internal_networks> to
>>>> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn
>>>> 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)
>>>
>>> rdr comes first, so probably the second rule should be:
>>> pass in on egress inet proto tcp from !<internal_networks> to
>>> {(egress:0), $internal_server} port ...
>>> or maybe only:
>>> pass in on egress inet proto tcp from !<internal_networks> to
>>> $internal_server port ...
>>> depending on the desired behavior and the complete set of rules.
>>>
>>> It's also worth mentioning here that PF-specific FreeBSD mailing list
>>> exists: freebsd-pf@freebsd.org
>>>
>>> Regards,
>>
>> Thanks Marek ... But if rdr comes first, pass rule will be not applied
>> right? I mean, how can I apply rate limiting options "flags S/SA keep
>> state (max-src-conn 100...." in a rdr rule?
>>
>>
>
> "rdr" needs "pass" at some point. Unfortunately, I know of no real
> modern, decent PF-FAQ for FreeBSD. Probably digging the internet archive
> would help find something more relevant like this Polish translation[1]
> which hasn't been purged from SourceForge yet.
>
> [1] http://openbsdpl.sourceforge.net/www/faq/pf/pl/rdr.html
Uhmm ... maybe it is a bug? Or not implemented feture? If I put "rdr
pass on egress....." redirection works, but no rate limiting option is
applied ....
--
Best regards,
C. L. Martinez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PRAP251MB056770A04DAC86FF32A6265ADB729>