Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Dec 2006 21:23:22 +0300
From:      "Abdullah Al-Marrie" <almarrie@gmail.com>
To:        "Peter N. M. Hansteen" <peter@bsdly.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: rate limit with pf instead of IPFW
Message-ID:  <499c70c0612301023k25a801d4h8ef13ff1bebd5dbe@mail.gmail.com>
In-Reply-To: <87vejtuytk.fsf@thingy.datadok.no>
References:  <499c70c0612290305w11eee312ma02e482b69e77f01@mail.gmail.com> <87vejtuytk.fsf@thingy.datadok.no>

next in thread | previous in thread | raw e-mail | index | archive | help
On 12/30/06, Peter N. M. Hansteen <peter@bsdly.net> wrote:
> "Abdullah Al-Marrie" <almarrie@gmail.com> writes:
>
> > I checked http://home.nuug.no/~peter/pf/en/bruteforce.html
> >
> > I still didn't find something in the faq covers table <bruteforce>
> > persist , do I need to create a file like /etc/bruteforce or no need
> > for that and will be stored in kernel until they expire or I reboot
> > the box?
>
> You can load data into a table from a file (or for that matter dump
> table contents to a file) if you like.  If it's important to keep the
> table contents across reboots, you probably want to do something like
>
> $ sudo pfctl -t foo -T show >/etc/tables/foo
>
> or perhaps at regular intervals from cron, and declare your table
> something like
>
> table <foo> persist file /etc/tables/foo
>
> > as su I type pfctl -t foo -Tl -f /etc/pf.conf but it returns nothing.
>
> If you want to show table contents, a
>
> $ sudo pfctl -t foo -T show
>
> should be sufficient.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
> 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>

Ok,

I think it works now, but I'm sure I missed something, since it
doesn't block the flooder.

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub in on $ext_if all no-df
scrub    on $ext_if  all reassemble tcp

# Filtering: the implicit first two rules are
pass in all
pass out all

# Pass all 'quick' on localhost loopback device
pass quick on lo0 all

## Default DENY & Log filter rules
block in log all
block out log all

# Drop our 'badguys' 'quick' with no reply or logging.
block in quick on $ext_if from <foo> to any

# Pass in rules for Various services defined above. Using 'synproxy-state' for
# basic dDoS mitigation on TCP services.
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
flags S/SA synproxy state
pass quick proto tcp from any to port 80 \
        flags S/SA keep state \
        (max-src-conn-rate 3/3, \
         overload <foo> flush global)

# Pass UDP keeping state
pass in on $ext_if proto udp from any to $ext_if port $udp_services keep state

# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# Pass FTP
pass in quick on $ext_if proto tcp from any to any port 21 flags S/SA
keep  state
pass in quick on $ext_if proto tcp from any to any port > 49151  keep state

# Pass out rule allowing all with modulate state
pass out on $ext_if proto tcp all modulate state flags S/SA

# Pass out rules for UDP, ICMP
pass out on $ext_if proto { udp, icmp } all keep state

# End

----

Here is the pfctl -s a output:

self tcp 66.90.105.115:80 <- 86.142.37.237:1086       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 211.213.208.237:3698       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 88.72.57.238:1345       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 88.72.57.238:1150       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 82.253.27.239:3079       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 85.24.126.240:1063       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 200.227.72.245:40219       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 84.61.12.247:1537       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 62.21.114.254:27475       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 62.21.114.254:27476       TIME_WAIT:TIME_WAIT

SOURCE TRACKING NODES:
83.26.19.2 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.57.19.6 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.100.235.6 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
125.191.104.7 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
212.51.52.8 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
213.63.67.8 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.245.169.9 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.129.142.13 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.252.21.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.226.46.14 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.19.164.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.107.53.15 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.69.215.16 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
82.197.246.17 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.214.188.19 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.118.233.20 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
212.116.219.21 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.31.175.22 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
83.209.10.24 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.20.97.26 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
200.92.206.26 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.183.16.29 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
193.189.116.29 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.248.32.32 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.217.145.32 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.110.165.33 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.228.202.36 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
89.252.13.37 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.168.152.39 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
58.141.35.42 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.64.49.42 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
82.155.36.47 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
68.116.187.47 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
83.26.240.49 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.38.29.52 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.1.54.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.241.71.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
195.96.124.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.160.206.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.45.251.54 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
88.118.183.55 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.228.183.56 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.77.56.57 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
195.161.7.61 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.22.187.61 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
218.172.158.64 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
83.6.223.74 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.24.124.75 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
213.246.243.78 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.175.28.79 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
200.162.227.80 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.104.6.81 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.186.130.81 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.205.75.83 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.25.232.84 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.59.45.85 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.109.76.87 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
211.124.236.87 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
195.229.242.90 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.102.187.92 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
213.145.113.93 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
217.23.253.94 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.139.217.97 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
82.83.17.100 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s )
88.72.50.102 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.114.143.102 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.108.202.103 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.193.175.104 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.29.13.106 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.24.122.106 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
24.144.23.109 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.178.102.109 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.55.14.110 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.128.33.112 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.138.228.113 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
70.83.87.118 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.117.2.119 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
219.248.23.125 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.103.90.126 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.193.178.127 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
201.250.230.128 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.128.204.129 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
85.186.140.132 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
166.87.255.132 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
219.241.253.133 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.181.87.134 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.185.151.135 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.106.122.137 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.55.94.139 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.68.72.143 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.142.233.144 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.25.212.147 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.182.101.149 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.106.250.150 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.179.198.151 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
82.247.63.152 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.73.75.152 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
210.64.230.153 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.166.211.155 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
24.37.213.158 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.182.183.159 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.26.225.161 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.221.70.166 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.217.158.166 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.26.241.166 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.53.206.168 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
85.168.112.172 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.154.113.173 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s )
85.61.10.174 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.234.60.176 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.217.177.176 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
195.3.113.178 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.56.180.178 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.147.210.179 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
62.39.229.180 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
212.183.222.181 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.77.15.182 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
82.142.157.182 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
83.61.148.184 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.190.253.184 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
82.217.97.185 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.165.218.185 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.64.8.187 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
195.20.106.191 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.107.186.195 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.13.15.202 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
194.78.199.202 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.105.44.210 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
60.237.217.211 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.65.173.222 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.61.224.224 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.152.208.225 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.45.15.226 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
89.132.25.228 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
80.224.245.229 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
88.73.137.230 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.131.52.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
217.151.136.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.178.227.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.142.37.237 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
211.213.208.237 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.72.57.238 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s )
82.253.27.239 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.24.126.240 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.61.40.244 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
200.227.72.245 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
201.21.132.246 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
217.23.182.246 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.61.12.247 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.19.245.252 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.40.16.254 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
62.21.114.254 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s )

INFO:
Status: Enabled for 0 days 00:02:57           Debug: Urgent

Hostid: 0x4a67045a

State Table                          Total             Rate
  current entries                      112
  searches                           34551          195.2/s
  inserts                             3658           20.7/s
  removals                            3546           20.0/s
Counters
  match                              15284           86.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                       350            2.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

LIMITS:
states     hard limit  10000
src-nodes  hard limit  10000
frags      hard limit   5000

TABLES:
foo

OS FINGERPRINTS:
293 fingerprints loaded

Could you suggest what shall I do with this case?


-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499c70c0612301023k25a801d4h8ef13ff1bebd5dbe>