Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Aug 2022 12:16:18 +0200
From:      kaycee gb <kisscoolandthegangbang@hotmail.fr>
To:        freebsd-pf@freebsd.org
Cc:        freebsd-net@FreeBSD.org
Subject:   Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?
Message-ID:  <HE1PR0402MB34529A7F76481EAE5A4B9C54A0729@HE1PR0402MB3452.eurprd04.prod.outlook.com>
In-Reply-To: <PRAP251MB056721E70D0440A99E8612FFDB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
References:  <PRAP251MB0567D1AA046EAE25E55B64F2DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM> <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> <PRAP251MB056721E70D0440A99E8612FFDB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help 
Le Thu, 25 Aug 2022 11:32:57 +0200,
Carlos L=C3=B3pez Mart=C3=ADnez <clopmz@outlook.com> a =C3=A9crit :

> On 25/08/2022 11:26, Marek Zarychta wrote:
> > W dniu 25.08.2022 o=C2=A010:48, Carlos L=C3=B3pez Mart=C3=ADnez pisze: =
=20
>  [...] =20
> >=20
> > rdr comes first, so probably the second rule should be:
> > pass in on egress inet proto tcp from !<internal_networks> to=20
> > {(egress:0), $internal_server} port ...
> > or maybe only:
> > pass in on egress inet proto tcp from !<internal_networks> to=20
> > $internal_server port ...
> > depending on the desired behavior and the complete set of rules.
> >=20
> > It's also worth mentioning here that PF-specific FreeBSD mailing list=20
> > exists: freebsd-pf@freebsd.org
> >=20
> > Regards, =20
>=20
> Thanks Marek ... But if rdr comes first, pass rule will be not applied=20
> right? I mean, how can I apply rate limiting options "flags S/SA keep=20
> state (max-src-conn 100...." in a rdr rule?
>=20
>=20

Hi,

It should be applied.=20

If you have a rdr pass ... rule you can't apply options like rate limiting
IIRC.=20

As Marek said, you need both rdr and pass rules and his example seems good.=
=20

You rdr rule with
> > or maybe only:
> > pass in on egress inet proto tcp from !<internal_networks> to=20
> > $internal_server port ...

Is what I would do. Have you tried it ?

Or maybe a "pass in quick ..." variant. I'm a fan of quick option.=20

Another option would be to use tag option
rdr on egress ... tag INTSERVICES -> ...

pass in on egress tagged INTSERVICES flags ...=20

or with quick option

pass in quick on egress tagged INTSERVICES flags ...=20

Hope that helps.=20

K.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HE1PR0402MB34529A7F76481EAE5A4B9C54A0729>