Date: Thu, 25 Aug 2022 10:48:45 +0200 From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= <clopmz@outlook.com> To: questions@freebsd.org, freebsd-net@FreeBSD.org Subject: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? Message-ID: <PRAP251MB0567D1AA046EAE25E55B64F2DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
Hi all,
I am tryping to rate limit public connections for certain services to
avoid brutforce attacks under a FreeBSD 13.1 firewall. Under OpenBSD is
"pretty simple" with a rule like:
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from !<internal_networks> to (egress:0) port
$tcp_services \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global) rdr-to $internal_server
But under Freebsd when I try to combine "pass" with "rdr" rules, it
doesn't works. For example:
rdr on egress inet proto tcp from !<internal_networks> to egress port
$tcp_services -> $internal_server
pass in on egress inet proto tcp from !<internal_networks> to (egress:0)
port $tcp_services flags S/SA keep state (max-src-conn 100,
max-src-conn-rate 15/5, overload <bruteforce> flush global)
Any idea about what am I doing wrong?
--
Best regards,
C. L. Martinez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PRAP251MB0567D1AA046EAE25E55B64F2DB729>