From owner-freebsd-pf@FreeBSD.ORG  Tue Jul 14 15:25:00 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 203B01065676
	for <freebsd-pf@freebsd.org>; Tue, 14 Jul 2009 15:25:00 +0000 (UTC)
	(envelope-from ghostsniper007@hotmail.com)
Received: from col0-omc1-s15.col0.hotmail.com (col0-omc1-s15.col0.hotmail.com
	[65.55.34.25]) by mx1.freebsd.org (Postfix) with ESMTP id F37378FC14
	for <freebsd-pf@freebsd.org>; Tue, 14 Jul 2009 15:24:59 +0000 (UTC)
	(envelope-from ghostsniper007@hotmail.com)
Received: from COL106-W36 ([65.55.34.9]) by col0-omc1-s15.col0.hotmail.com
	with Microsoft SMTPSVC(6.0.3790.3959); 
	Tue, 14 Jul 2009 08:12:59 -0700
Message-ID: <COL106-W36D87D1E308A510FBE56078C230@phx.gbl>
X-Originating-IP: [70.28.66.173]
From: Tony <ghostsniper007@hotmail.com>
To: <freebsd-pf@freebsd.org>
Date: Tue, 14 Jul 2009 15:12:56 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 14 Jul 2009 15:12:59.0624 (UTC)
	FILETIME=[92FE0680:01CA0495]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: question about max-src-conn and max-src-conn-rate
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2009 15:25:00 -0000


Below is a packet filter snippet from my config file:

=20

block drop log quick from <brute>
...
pass in  quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA k=
eep state (max-src-conn 80=2C max-src-conn-rate 200/2=2C overload <brute> f=
lush global)
pass out quick on $int_if proto tcp from any to <webs> port 80 flags S/SA k=
eep state

pass out quick on $ext_if proto tcp from <webs> port 80   to any flags SA/S=
A keep state
pass in  quick on $int_if proto tcp from <webs> port 80   to any flags SA/S=
A keep state

=20


Question 1:
Should the bruteforce rules be on each line=2C or just that first one?

=20

Question 2:
If they should be on each line=2C should I multiply the values (80=2C 200/2=
) by 4 ?

=20

Question 3:
Are the rates I'm using reasonable? blocking should be on the loose side


=20

I'm open to any thoughts=2C opinions or screams on best practices=20

_________________________________________________________________
Attention all humans. We are your photos. Free us.
http://go.microsoft.com/?linkid=3D9666046=