Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Aug 2022 12:20:23 +0200
From:      Michael Gmelin <grembo@freebsd.org>
To:        Carlos =?UTF-8?B?TMOzcGV6IE1hcnTDrW5leg==?= <clopmz@outlook.com>
Cc:        questions@freebsd.org, freebsd-net@FreeBSD.org
Subject:   Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?
Message-ID:  <20220825122023.08491369.grembo@freebsd.org>
In-Reply-To: <PRAP251MB0567D1AA046EAE25E55B64F2DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
References:  <PRAP251MB0567D1AA046EAE25E55B64F2DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help 



On Thu, 25 Aug 2022 10:48:45 +0200
Carlos López Martínez <clopmz@outlook.com> wrote:

> Hi all,
> 
> I am tryping to rate limit public connections for certain services to 
> avoid brutforce attacks under a FreeBSD 13.1 firewall. Under OpenBSD
> is "pretty simple" with a rule like:
> 
> table <bruteforce> persist
> block quick from <bruteforce>
> pass inet proto tcp from !<internal_networks> to (egress:0) port 
> $tcp_services \
>          flags S/SA keep state \
>      (max-src-conn 100, max-src-conn-rate 15/5, \
>           overload <bruteforce> flush global) rdr-to $internal_server
> 
> But under Freebsd when I try to combine "pass" with "rdr" rules, it 
> doesn't works. For example:
> 
> rdr on egress inet proto tcp from !<internal_networks> to egress port 
> $tcp_services -> $internal_server
> 
> pass in on egress inet proto tcp from !<internal_networks> to
> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn
> 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)
> 
> Any idea about what am I doing wrong?

Your pass rule won't match the rdr rule, as it is matched *after*
rdr was applied. So at this point the target address is not egress:0,
anymore, but $internal_server.

If your traffic passes anyway, it's probably matched by some other more
general rule.

You could simplify your config by using tags, which could look like
this:

  rdr on egress inet proto tcp from !<internal_networks> to \
    egress port $tcp_services tag pass_rate_limit -> $internal_server

  pass in quick flags S/SA keep state (max-src-conn 100, \
    max-src-conn-rate 15/5, overload <bruteforce> flush global) \
    tagged pass_rate_limit

Using the "pass quick" rule early in your pf.conf will make sure it is
applied instead of other matching rules.

Cheers
Michael

-- 
Michael Gmelin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220825122023.08491369.grembo>