From nobody Thu Aug 25 10:06:00 2022 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCzBN30J2z4bNgp; Thu, 25 Aug 2022 10:06:04 +0000 (UTC) (envelope-from clopmz@outlook.com) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05olkn2070.outbound.protection.outlook.com [40.92.91.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCzBM43Hdz3mv4; Thu, 25 Aug 2022 10:06:03 +0000 (UTC) (envelope-from clopmz@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BhCgJ/cBtmpcSI9nWACU4OOohjqTt1AcCDr96OUW3jkPGq3dgxSFt6sogaZKgqjKhVxtj5nmHfvW9ucHr6LOVY6JU21/jLghCKit1UvrWvbYEJwf9aG7JhfZCKjRG6ad8EBibu2x8zsx03nwGC97vONML+P8UbwbdsuU55WU+4PO8Wn/EOXuobL24BgGkB+2c+zM8EaqCdjZFtR/CPRnqBAENjgllcnvbcnkLw4+T3DCLVjT6GA9QkiKC8PAOzTTrUmeJH3IzUF8/g8ILI2GFwGWwftHYgf+dK8WhwA8Kyj7dTVcYUZFp1k5d+tCyAeUBIrzCRrk6CaYPvrUOO67VQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=g0LyxkH2rBcyOeQy1reYic+7/qoBvRQeX1IsZJf4IUo=; b=VIva95lMhg4eQy2qF3ypmQ8x4ZVm0/Lf1QjVs8V/jAjNufGyA87yAkn/6TlExy1mtQXyRfbMjY2MDF0Z/ghcsFi88iFrQSr4BONwU8D3vRsPQfx6o550fhz3kv1+OlnoPWzFY63UnXhu1b81atCvAm8dNsAk9jxtxG+JSLUXwxR1tfkFEbfoiG8JGt6IGGJ+fSwFvasML5Q/q6sOPJmJ2K/VMHVzA6knLMT0j0Gb6m8QvvOFaYpNdUhZy2VpU11bUeNN4G/c4+Rs7ibFvVNdbBoHsKw5Jlv53O+zk5UWZScz96uEQeJ9JOnRYF2PWSA2iobtEzVXjFlVRyEFLivzmg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g0LyxkH2rBcyOeQy1reYic+7/qoBvRQeX1IsZJf4IUo=; b=GfPN7HyFsskq8nHpNJ3NiXXECyAQ412IPHh65PhsuHHGhH44WhbbmUv0tAJK1zMqJLZdbOIqQI0Aq5KijlG7MfsKTYwXWtTlWSlz7NVoKOGH97AVY1F8GeKA/BrzQmwz3AU0hGBfxcVh3YpqqlxDqra9gD7bhrW5MSELZLR9KBKZAdi+1Q/kb2FpSPBpUtKk4EvfjChkdIdXr0YoMSujmrXec+bi3MjaQ9Zo5bcGuk/WjTzG0K9z4X4Y3ci951wEQX0mz8NhQHdKN5aU7GftiZrZHN74l+C1n1C+emDiwJ5cfJPvpVw1sJ9F8HsBhxIf726oBV6sjfmuptKsnRUKOw== Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) by DB9P251MB0233.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:2cc::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.15; Thu, 25 Aug 2022 10:06:01 +0000 Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68]) by PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68%4]) with mapi id 15.20.5566.015; Thu, 25 Aug 2022 10:06:01 +0000 Message-ID: Date: Thu, 25 Aug 2022 12:06:00 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? To: Marek Zarychta , freebsd-net@FreeBSD.org, freebsd-pf@freebsd.org References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= In-Reply-To: <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-TMN: [CxRuUXnI//Q1+x6ufsw03pn9O6EXm/j0] X-ClientProxiedBy: PR3PR09CA0002.eurprd09.prod.outlook.com (2603:10a6:102:b7::7) To PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) X-Microsoft-Original-Message-ID: <66fce91b-1a18-2a56-c7be-ab342b93d8fe@outlook.com> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a796fe85-d51a-4d0a-1bb7-08da86816a34 X-MS-TrafficTypeDiagnostic: DB9P251MB0233:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: M1+JZ0RUAcfTahvBvwqghkUa7GZ+4iOJzbMKkDohASAJolUsi1ZwyjV6k1uex4rjXXB68mijj+iVynY1AeMaWbpoKIlK5gLnX+O8fQnviYVoHJGhRe7QlFqIeUzb5lMPRaZVzx2NTDJpLx0XNnBNfSMB5sgw8FISPxpIGbaGggKlttUvwdpzpv1HfTqGjstZS3UNpvN5eoLO4Ur1QSl99cpZHYAk7w1Qp9bAhkrW8K4obTdI1d98LERyOmWSJ8DsAd+1koiF7e9le3F2C8NnbU1yCQb9IJ5naWwMf524CvnLw6C7777eM9qRtnb9UpOF22UnddheZVI39OZSHTPp5ShHfzQ7SCRvMcmgX24jvHl3A4BK6kQv8DG3ZbHhCGE7/7Duqdnc7EDPQFIQ8j7NP2OASAzyCZKKS5lAayV3vWsUlN8n9o80fhzsxJPlbY2fVKj7kxInmVzvenMS3sJ3GNPWmLT4XESU6gTh9NV0niYMahjlxKwXo8P8HGV0GXmtvBdWtoPhsTHOF3AhtvyPzD7URZkeTPSBvFm22HNxf0CFnxVTmnMs3srPXI+8pO5EyylpLuOXMP0exF5V+XrTQZ8S/DC86HVoUHMi+hvHbL6MzOh+Sz2bqUOTT7/epdQKnfIHJyGZfxtWYa4gsKTVEA== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?OC9BRGtnSW8xYnZXanJneXpSQXVnSjA5azZSWGlURDhGd2JIOTRGSDFjZTZw?= =?utf-8?B?SFVjOGppVUpUZGJYZDJGMnJIM0YyeEM4bHZYb1N4VWl1Q01wYUxna2FRQURl?= =?utf-8?B?VVVtQzF3RVlxbjZqTVJ5bGRtYlN1Sys2UWZTS3UzVjJWK0J6a1dXK240aHVt?= =?utf-8?B?NHNVN2xZTVVvOFBvY2ROUzI1bDFtaXhXZ2NsL1FkQUV5RHQ0cm1SbHR4V1d2?= =?utf-8?B?eFVUai9ZTS9oV2hieVFCSzNRREpVNEN5MmJxc1FwbHhFa1hvRWdxcFRRSVc0?= =?utf-8?B?YUdaS1FmRitrdnJvZW9HZVN6RG5tS2x6RllHWEZjNFBibWd2N25sNlZwcmQr?= =?utf-8?B?MzJ5dk5TeUJwaGNzbmlrYzA0YTMydFlxUTI5RzhXYVdtYjkzRDRHbDhQV01Y?= =?utf-8?B?Wmp1WUlONjlyMkNWNnpFanU2UjNwenZxQTNXYVFhdHl5WitmdXpZM1d4aThO?= =?utf-8?B?MXBzZ3dSa0JuNktham9OVlBCODBlUEFQbVNJTTE0ZFlORnhXVHJ2SHg2OE5t?= =?utf-8?B?a0FzWWJYSXRzaEFtUWNmZW51c3hxa0Z2clZCVUQ1TEJCSGF6eGJpa3JFdzAr?= =?utf-8?B?ZEdJSlMyS0RqVWJycXk1MjBIdDJMZFRkQlN1b1p5elNmTnNHdEx1SGdYRFQv?= =?utf-8?B?aDdQbDlwbS9GeERWWTRwK0g1TlR3bmhYQTVBampSTjhLTzRRbExrdTVLNEFi?= =?utf-8?B?ZmNNa3R6OERFbklEczhMU0QwUDlQYzZLbUNoRXF3WDZaZjRWSU5SbnlhZGUy?= =?utf-8?B?eXFIUDlaRmhJaTVuSm5idUVPMzdML3hRQU5RemVmQk9XVTZpc0ZobnJ6Zkxv?= =?utf-8?B?ZmxiUzBZcDZYTlpPUjRpWjNGK0RlVEhKRWNpbDNhdGJlditvMU1SeGxNclJN?= =?utf-8?B?RWlTVExUVlhIZFdGU3A0UHNGNFQzOEVSYjdQTURuSzRQSWdpTDI3bVRsU0FY?= =?utf-8?B?dFdzL01XaDJEZldRUU9GTnR1dDRFcVhmaHgzSU5mZ3hIZW9pY3I1NHo2VjBh?= =?utf-8?B?R0l4c0Fmd0RvVXkwaTlXMXo0dDc1bjEvZDNadUtYcHptelUrb1BtOXEyMW9K?= =?utf-8?B?bk8ramN6NlRJelRqRGd2Z0NpVlM4WmR4MytZTklzcWswbFNQL1V4NmthVmlO?= =?utf-8?B?SVR5dk95cHZ6MjBjSThPazFrRkdFbW9XQUZvOG44VFVjZm1keFdpL042bmlx?= =?utf-8?B?dlBpd3oxdmF5R0RLNmZEQ25yVG5TdGJBUCtEQTZ2ditYM3Q3dWllU1VqN2V5?= =?utf-8?B?b1BVQXhpQ2xnOER0K2laSlZoOE1rMmFydGxicGE5dHVjZGJzaVpScTBZRmQ3?= =?utf-8?B?VFRLcnM0dFlXSFhyczY5am9OakEvdW1UdHVhbnF0TC9iVUFkUTdVUEk1TGwz?= =?utf-8?B?Y2U0V1FjTTZjWWlySjhGWk42OE04aiswN1ZmN0VZRGpWMG0vMDBEcmxhbklO?= =?utf-8?B?U0dsRC9SNk5UaVlvcDBXeDRCaXVyMVNJS0t5dFVIMTFKRjJVc1p0anF1OGJ6?= =?utf-8?B?OVVqYVRINGpFQVQ1MXJONWY2ckVkZ0dpemthbUNzWVVMK0diTllnajBDNUhT?= =?utf-8?B?enIzdTlqVHI2YVA3SldvSDl4TUpTQ0dXUjVqbVVtaVdZbDdCYlRDVjNNamNR?= =?utf-8?B?OVlVN2RxR3A4RWtpWmtNa2xoQzdXZ2NSaG5RdFQ2VjNxelhkSFlsNUFpNFRN?= =?utf-8?B?MWQ0eC9EVkJxMlc5aUtiQS90L3R1R0IvMmdJVitiWnhtSEl0dSs2YlNnPT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a796fe85-d51a-4d0a-1bb7-08da86816a34 X-MS-Exchange-CrossTenant-AuthSource: PRAP251MB0567.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Aug 2022 10:06:01.9080 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9P251MB0233 X-Rspamd-Queue-Id: 4MCzBM43Hdz3mv4 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=outlook.com header.s=selector1 header.b=GfPN7HyF; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=outlook.com; spf=pass (mx1.freebsd.org: domain of clopmz@outlook.com designates 40.92.91.70 as permitted sender) smtp.mailfrom=clopmz@outlook.com X-Spamd-Result: default: False [-0.59 / 15.00]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.980]; NEURAL_HAM_LONG(-0.94)[-0.939]; NEURAL_HAM_MEDIUM(-0.70)[-0.701]; R_MIXED_CHARSET(0.53)[subject]; DMARC_POLICY_ALLOW(-0.50)[outlook.com,none]; R_DKIM_ALLOW(-0.20)[outlook.com:s=selector1]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[40.92.91.70:from]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[outlook.com:dkim]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[outlook.com]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[outlook.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@FreeBSD.org,freebsd-pf@freebsd.org]; FREEMAIL_ENVFROM(0.00)[outlook.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.92.91.70:from] X-ThisMailContainsUnwantedMimeParts: N On 25/08/2022 11:46, Marek Zarychta wrote: > W dniu 25.08.2022 o 11:32, Carlos López Martínez pisze: >> >> >> On 25/08/2022 11:26, Marek Zarychta wrote: >>> W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze: >>>> But under Freebsd when I try to combine "pass" with "rdr" rules, it >>>> doesn't works. For example: >>>> >>>> rdr on egress inet proto tcp from ! to egress >>>> port $tcp_services -> $internal_server >>>> >>>> pass in on egress inet proto tcp from ! to >>>> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn >>>> 100, max-src-conn-rate 15/5, overload flush global) >>> >>> rdr comes first, so probably the second rule should be: >>> pass in on egress inet proto tcp from ! to >>> {(egress:0), $internal_server} port ... >>> or maybe only: >>> pass in on egress inet proto tcp from ! to >>> $internal_server port ... >>> depending on the desired behavior and the complete set of rules. >>> >>> It's also worth mentioning here that PF-specific FreeBSD mailing list >>> exists: freebsd-pf@freebsd.org >>> >>> Regards, >> >> Thanks Marek ... But if rdr comes first, pass rule will be not applied >> right? I mean, how can I apply rate limiting options "flags S/SA keep >> state (max-src-conn 100...." in a rdr rule? >> >> > > "rdr" needs "pass" at some point. Unfortunately, I know of no real > modern, decent PF-FAQ for FreeBSD. Probably digging the internet archive > would help find something more relevant like this Polish translation[1] > which hasn't been purged from SourceForge yet. > > [1] http://openbsdpl.sourceforge.net/www/faq/pf/pl/rdr.html Uhmm ... maybe it is a bug? Or not implemented feture? If I put "rdr pass on egress....." redirection works, but no rate limiting option is applied .... -- Best regards, C. L. Martinez