Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Aug 2022 11:32:57 +0200
From:      =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= <clopmz@outlook.com>
To:        Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>, freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org
Subject:   Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?
Message-ID:  <PRAP251MB056721E70D0440A99E8612FFDB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
In-Reply-To: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl>
References:  <PRAP251MB0567D1AA046EAE25E55B64F2DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM> <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 



On 25/08/2022 11:26, Marek Zarychta wrote:
> W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze:
>> But under Freebsd when I try to combine "pass" with "rdr" rules, it 
>> doesn't works. For example:
>>
>> rdr on egress inet proto tcp from !<internal_networks> to egress port 
>> $tcp_services -> $internal_server
>>
>> pass in on egress inet proto tcp from !<internal_networks> to 
>> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn 100, 
>> max-src-conn-rate 15/5, overload <bruteforce> flush global)
> 
> rdr comes first, so probably the second rule should be:
> pass in on egress inet proto tcp from !<internal_networks> to 
> {(egress:0), $internal_server} port ...
> or maybe only:
> pass in on egress inet proto tcp from !<internal_networks> to 
> $internal_server port ...
> depending on the desired behavior and the complete set of rules.
> 
> It's also worth mentioning here that PF-specific FreeBSD mailing list 
> exists: freebsd-pf@freebsd.org
> 
> Regards,

Thanks Marek ... But if rdr comes first, pass rule will be not applied 
right? I mean, how can I apply rate limiting options "flags S/SA keep 
state (max-src-conn 100...." in a rdr rule?


-- 
Best regards,
C. L. Martinez

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PRAP251MB056721E70D0440A99E8612FFDB729>