From nobody Thu Aug 25 09:32:57 2022 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCySG623lz4bKN9; Thu, 25 Aug 2022 09:33:02 +0000 (UTC) (envelope-from clopmz@outlook.com) Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-oln040092067050.outbound.protection.outlook.com [40.92.67.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCySF3k6Tz3j80; Thu, 25 Aug 2022 09:33:01 +0000 (UTC) (envelope-from clopmz@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bCgT6DnyJ/0hyzbVlFDHTWjWmIdVrLJMy2DGypiliruxu0hbZZXHQwWudgWpQLOJHiSzILAwHwWUflVRDoj7DFAGFom4AXOV7zekMD4IrNGj1uMRfYPHRn6YX0M124Jv9Ug+f2uaUzMX2ihOTmAnrDz5FcIaYcNWX0Rq91Bm1XMflLyNKUWW431fLCYCTufqQawDCynG9+MSNi+GsLOU8rDojHMoXX0z6iPZzd5uwOBS+2A8uSyjkRX1VTqBTVdgQNLL+ZWbzshIMq5EKh6LjUAQiMUKfqIYQM7/eov33b+oKw0OZIroJKly+Z1t08uBMGIpUIEkCIcNsa76l4hL3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=691gQ/JSisAWWkh2qKsA1/a5GMaisyKeh81zxDi7SFw=; b=F+qk9ts/eswssvKv2IwzQzQivZqU1IcB7uz/oH5KHbIuqsbp6gNUTFiQmNv/4mc4Ve2gLRWSVQIcOnF40YQqY23T8wvSXQwDFNX2YVU4PHvM9SBR+rOC/qlCtmL48iyFuiV6RqxWWKt5zeTeOSCCvI0mYkS4Ueh4NAKZ90Q9xOW6bdT7mDyENAg73gwkOyNo86tEz8c53ruScvFEJIGlVrPPWiZIqpN3vViBykoTxUDjQAo8GvDu4LU4lpju+Ct8OLsY9zFWCpYbeDQZcqByKpbBfjYC+RR1NyWIKo96AhuJ7Ut+7/xw+v54dbcP+uoSrxULmkYz9cGjj005WXtDLQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=691gQ/JSisAWWkh2qKsA1/a5GMaisyKeh81zxDi7SFw=; b=qmdpyav970e8arqKIgvnXP/BVGFi+PuIpizPMLr4w9iHM7IAW/koN7Du7XnkGL7owoU4MwllfudpVAOdiyp2z7KyRA7KmAt7H4IBrCo4V20HoWUcwzsqr62zcU5te9mE9xuq0H6ECw7aZX+stD0N+eCw47zgrvjJe0cqdfrDfh1Gg1oLgp1UQUh/CR14qvmpoh+JXGV+5tg2nMgRw6fLpqveU4aH3tSiknd2FNkJnQHZwmyiliDjvnG5Jy26WYz14470L7nVWHGIOVeHPMi68qfpPiHqaK19Gsqao0nrX1xJ2gwQ0Qa/wbwzCZl+JQ1AFr6IS+GdO3in8K1HkuBqrg== Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) by GV1P251MB0977.EURP251.PROD.OUTLOOK.COM (2603:10a6:150:9b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.15; Thu, 25 Aug 2022 09:32:59 +0000 Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68]) by PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68%4]) with mapi id 15.20.5566.015; Thu, 25 Aug 2022 09:32:59 +0000 Message-ID: Date: Thu, 25 Aug 2022 11:32:57 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? To: Marek Zarychta , freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= In-Reply-To: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-TMN: [T7+tmjgMsj7LymREEIZ0ZmY339Pq677U] X-ClientProxiedBy: PR3PR09CA0011.eurprd09.prod.outlook.com (2603:10a6:102:b7::16) To PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) X-Microsoft-Original-Message-ID: <10f6fc67-34fe-8cc5-70d9-70897bdfb861@outlook.com> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 92a8e368-8580-4190-7c88-08da867cccae X-MS-TrafficTypeDiagnostic: GV1P251MB0977:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: mpqSFX7zLfa/smmHWc/EBT9mmekf5dKfwhV5FPv7pQqp1tTcvrRVuu666/UvkkI3f3jPneBVCzVxAiiiUDffB3KPUrvjlGVize5iXbWbIla5zj3DBwc1ND5fYM7VjMO8w55Tb+WE3We5jvGOD+QzKjD/QMpA8AiuKBvFSrtTldqeHIhQCe8ufnUb2rOp00WSdMFYotWKndQOkttZAX6HKYY/WZyR6UGqGoFw5CfJ7eKB2SA+MCWA+UIhJJwoGmljDG/xjVIBkQHLwdG48sECLDe/W+pyf3KDAi/D3fIhWnkeGWoarrJGhPIlalboKObvYBTUXxhjwOKf6hDPEdUWes0ujVamMcSdPgpqyRgYwTUYnnqeuyBwMniMxJoXq8nj3+v7DWFCgpNDSyXzlhYGxqnP9JKzPhlKMpcm4S34WvaVYEejbZDUUKg32fv9smXijmHGfObUJiJnHwmTyNBQw8S88iofOhCgmBlmvVolueVPZ2Alrf8Dxk3S7dbLLGXWiZiPZVeNdAbkCOPS3EpgZqy/nwB1XER/FUFfvujK1gTasbTKv8qRFpb8p4fhJw+tyZ+u7/Delt3CeLeokl98MbnrQBkLB/FBlxbTIyMbanvnRqDaBimlqSorVFO+6Voq36hLiFNgX/lsGR4UwvrCReXOUFC3JoXdldDnDKWKtf6cSvbKvzxq336eRQPHhi8A X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?cmJxcENiZitzV3JTL2NiV05iSG5DRkUvemZxWmdkTWUvQlNvNGxsaEJIbUV5?= =?utf-8?B?Rk12RFM1Y2RTeVZEMEpIZTVKYjRybkdFcFBuSFA1cGhzNFFvbWtpN250YXc5?= =?utf-8?B?MFNLOUJzcy9iMU1PdTVIZ1VkTWkyUFdsYzhqZkhNcUlDb0l2bkcwKzVqWHEv?= =?utf-8?B?S0dTTWNwM2JxUEFGM3pGZ0l6clh4MDdHdjB3L0tKUUtHR2NFQnNTYWxHK1Zh?= =?utf-8?B?RURVZGQ4ZnlHRWhVRGlXdDdOQ2ZpZ3RvbFpNWkRKcnFJbnpwaHZOL2pDRFpP?= =?utf-8?B?T3UyMnpjR0pMZGFaY2dpZnBIQmQ2YXhBUnNwalJSVnRoKzdJSjhDRkdObndw?= =?utf-8?B?WFlYVUpPdENtdVo2NGZCVWt3WWk2YXdwRVlpclZKQnU0ZVh4blArWlVsNFB4?= =?utf-8?B?RXZEOEFocHordzdRMjlJbjZJcjQwVkZtSSs4bzRtNnJSWkQvMmZyeVBtZVFP?= =?utf-8?B?bHA1MitJdENHVFROZkx6TXNaT3pVK2c4c3RIY3BaTXFLN0hjTnF2RVhTMVBl?= =?utf-8?B?TXg3OWR2Z2lQRHpHeEx4MjBNckdVVVNELzdvN3BZWEdrY1RjejNMNERRTVA4?= =?utf-8?B?UXhrOFFiREtNT1BmcXZGMWpiWkl0d0VRN2ZrUndUbVdoTHpoaW9GcXgrYVhE?= =?utf-8?B?MW1HYnpZWXkxM1BVdTNzYkxleWc5ZjZoTmh2WXdQaExIMEt5VisvSGtLWkhn?= =?utf-8?B?azlnVTk4SUNsbnpoZlRiUTVFVW1jaDBRN2Fsb3EzWjdDQzhveU5Va3dkcEE0?= =?utf-8?B?a3dpbmVab2NSTlJWVE5UZEZIRlZTSkxnRm1uWERzaGRMbjd2c1ByV0swdlFo?= =?utf-8?B?RVZLSENrMHVoMUZhMjlpb2l2aUl4ZGpBbDIwcHlyZDFMSDRjMlRaSzJrNnR1?= =?utf-8?B?ZlhqQkJIeVc4bDBPV3BaVnVldUJ3YXFsQXFUdGV0VU9vMHA0dzhJU3M1dUJl?= =?utf-8?B?dE5iRk02eVNSV08xWmkrMllxRnFYMXBXQW9QOS9lSyswemx2MStnZzQ5NDRD?= =?utf-8?B?UTVkd2FrZWptb3ZId2lTWm81NSthZzc3cVh6Q0l1UHpMd2NMZld4RnlDVFJO?= =?utf-8?B?STZrbDVQMGtZK3pONWRFNXlFNDhUUHhsZVhyUm1VNjArQ2dZTUZHNUdHYlRi?= =?utf-8?B?RE4zNDRLOUw5VnR2K3I2dmNSUlpVRmJGWnhCdnVxY2NsVTE1Y2x3M1FqMHQv?= =?utf-8?B?bXVMSDV1N1R5dUV2aXBpSnlwVU1WQ2Njd2lnTElMeGJjdEYyTE9jRzIzdkRX?= =?utf-8?B?YUZUT0hyUThIVksvUTA1anp4Wkg5cDVwRTFyNUJzZHRzTTNENC9CUW5PZ3Zk?= =?utf-8?B?SkdIdkJCenJLWkhHNDUvYXhjL0lnTjQ1N2FPQ2NhZVhTK3Zra29JZEdsMnVF?= =?utf-8?B?WkpITWZVOE9FUXByejZWa3VCRGQ3VDcvSTN6UC9RZVBvSS9Gc3Nia3dHUU1a?= =?utf-8?B?ZlgyMFpxV2lJZDBIczBFNUhNV1U5UlZNblBLTDN0VWhSNDBQMjE4RVNlUlVM?= =?utf-8?B?VnBzdk0reHFNejFmcS9KWlAvUnBsMFBhNXAxSGkxL2RJV2dxaERaUnZDdlF1?= =?utf-8?B?ZzQ0N3h1RDRVa3pKc1k0MENhYzlCRkdkK2M3L3h1ZzUxcFNIRndva29JUVpG?= =?utf-8?B?RTBYRkFPOENiNXo0c0VGcmxBSjgvdkJDTXBmK054cWluaEdISzBNc2xwMzMy?= =?utf-8?B?R05zVE9SNzNyYkNneFRpcTlmcW1BQ1ZtNXJQa1V0Y0sxOWZwbFNsVTd3PT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 92a8e368-8580-4190-7c88-08da867cccae X-MS-Exchange-CrossTenant-AuthSource: PRAP251MB0567.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Aug 2022 09:32:59.6275 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1P251MB0977 X-Rspamd-Queue-Id: 4MCySF3k6Tz3j80 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=outlook.com header.s=selector1 header.b=qmdpyav9; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=outlook.com; spf=pass (mx1.freebsd.org: domain of clopmz@outlook.com designates 40.92.67.50 as permitted sender) smtp.mailfrom=clopmz@outlook.com X-Spamd-Result: default: False [-0.63 / 15.00]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.984]; NEURAL_HAM_MEDIUM(-0.88)[-0.883]; NEURAL_HAM_LONG(-0.79)[-0.788]; R_MIXED_CHARSET(0.53)[subject]; DMARC_POLICY_ALLOW(-0.50)[outlook.com,none]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; R_DKIM_ALLOW(-0.20)[outlook.com:s=selector1]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[outlook.com:dkim]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[40.92.67.50:from]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[outlook.com]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; DKIM_TRACE(0.00)[outlook.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[outlook.com]; MLMMJ_DEST(0.00)[freebsd-net@FreeBSD.org,freebsd-pf@freebsd.org] X-ThisMailContainsUnwantedMimeParts: N On 25/08/2022 11:26, Marek Zarychta wrote: > W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze: >> But under Freebsd when I try to combine "pass" with "rdr" rules, it >> doesn't works. For example: >> >> rdr on egress inet proto tcp from ! to egress port >> $tcp_services -> $internal_server >> >> pass in on egress inet proto tcp from ! to >> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn 100, >> max-src-conn-rate 15/5, overload flush global) > > rdr comes first, so probably the second rule should be: > pass in on egress inet proto tcp from ! to > {(egress:0), $internal_server} port ... > or maybe only: > pass in on egress inet proto tcp from ! to > $internal_server port ... > depending on the desired behavior and the complete set of rules. > > It's also worth mentioning here that PF-specific FreeBSD mailing list > exists: freebsd-pf@freebsd.org > > Regards, Thanks Marek ... But if rdr comes first, pass rule will be not applied right? I mean, how can I apply rate limiting options "flags S/SA keep state (max-src-conn 100...." in a rdr rule? -- Best regards, C. L. Martinez