From nobody Thu Aug 25 12:26:26 2022 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MD2JR0ZMgz4ZRZf; Thu, 25 Aug 2022 12:26:31 +0000 (UTC) (envelope-from clopmz@outlook.com) Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03olkn2010.outbound.protection.outlook.com [40.92.59.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MD2JQ0tBJz4322; Thu, 25 Aug 2022 12:26:30 +0000 (UTC) (envelope-from clopmz@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hahGu+sODApZVh1lLS/eGTrOFWE5zbZTZxPpFzCVDjruGJMw9c4sFtpSrMtkiaXCdT4k951EcdzFGhPFZ117ZWQRaFULGGRrxDvy72hR6Z9h0ICSgu2o+D6jbQfDF1eyuAX/j6NJojrHunijynEv5xJaXyMZSvOzwD21ua7m/Embb3WtwI40PvcR3Zp/FpGiybBxD3e1IuVEAnAD6za+CHyCijxDPJZsjelsOVCnGPd8d/iTSdw9b02J3b1drnNnJVzmSAR2uLEH1EtbFmvKgLnjpkxuJ7VLSAfVaT8BvMrdYoaYVM8KpicGr8jqs+TA61hcpgl77S289tqQ9vh5Fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0xJ6tCXWb4PozqYSKjCP4LG4HMSxqFFmh5j9uA7tuW4=; b=cmSkX4DVBZyUTJ5+ftedJJCWQzpStc/R6Ax6XXOC+cxdbhaGyp43O2AbjKYpA1kKTiYzmPTJp4Mr+BYYMLpjf9qHh/Hm7AEnINDvEkZ08HIe17BlLhCXw+vx9fT0zd1nWxr2XhEM96Rp3Kd5PdNmQnJXpNtfWr030S0bGujB48v0cr8i6UZzSmzjQIyfnd2pFTI3hVqb9E+XeY5Bj8fV7jJXD91vSpXSTgyW4yaErChKNSGrUfc00zHHOh23nO7rjdYlfbHXjEtdlXymPObrNFHxlVbygdWIs/+UIs3mZZRwTqR7E4Ke3GygSNak02z1wrpbwwqPobbEYWbiUPvY7w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0xJ6tCXWb4PozqYSKjCP4LG4HMSxqFFmh5j9uA7tuW4=; b=Zg/211rOVeHziIESqgbKDPT6g3Ey5DiX2ZjzpgYIda6VXBdOnSXC/RDq/bVSA8edvzbPJFmkOt7JSz2hIJApYNASd1Zxd7BAF/qR2IrcY23z3TfPHauXCTe8tG7ybYHF9FPFxjwdgrrDRv2VJsBhP6qvgjih2vHAwbpegTmH7/lbOooS6lYUc5H57TDmYpzrwxjZRYc1KuI786K/KcbjVNOdhRIxhBGwQvWxw0JHgEHYbMN/rSXgWyGMjLO60ZjTDw5JslDYcSdNz7iWu4IbW62nxQM2BuDvu9B2xzvG7Qtoec9XZKaiBvRPcnTDMNA9A21MYWdqoXsfHoRi2IC5Ag== Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) by AS8P251MB0119.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:401::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.15; Thu, 25 Aug 2022 12:26:28 +0000 Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68]) by PRAP251MB0567.EURP251.PROD.OUTLOOK.COM ([fe80::ad16:61d5:b534:cb68%4]) with mapi id 15.20.5566.015; Thu, 25 Aug 2022 12:26:28 +0000 Message-ID: Date: Thu, 25 Aug 2022 14:26:26 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? To: freebsd-pf@freebsd.org, freebsd-net@FreeBSD.org References: <20220825122023.08491369.grembo@freebsd.org> From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= In-Reply-To: <20220825122023.08491369.grembo@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-TMN: [ItrCKwFYB8DYgCmRdd3HESRX24nP86M9] X-ClientProxiedBy: PR0P264CA0100.FRAP264.PROD.OUTLOOK.COM (2603:10a6:100:19::16) To PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16) X-Microsoft-Original-Message-ID: List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b711472e-78e0-4f88-23da-08da869508cf X-MS-TrafficTypeDiagnostic: AS8P251MB0119:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: WDEH5kb7W9yCO2MQ3AhaZdXswarYoDLQdJcWRNMpc1K2aS+9L8Rom9O1E9GC4NHezSYCNROK1nM7Dm61Dn+kK6hGGRI1zoINM9WfyZ2PCZ8i6EPPu11S51yN+ykAp+0odpRnlea7t2mRJ4yIkXJ28RiTXvUONavF/NBY7F9zxRMi/7NepINoP+XIL5qp2rIwsZvTvnI+gQuQY/u+ACaVFaeku3sfap14A/znA/XNYkggWFyqEwZ15zmWWpagHCv44I5xErD4sN5teYXaGQE3omy/mIdA/xKYm1aE3HXbxJE/emklNg0OedaG0PlpG4onroitN+A2HrN7S64kZFkqbH1cKkDO/++V1rughjLYmy7Pexf5NLk3bog8uYBxcegwBfecdPgU0A3z18KvXD3s4EUX8mQxXk7r4FROFIQze0sFxLLeKIsL1jH9yiV/TXhfuSnqy6UcLiJXXDVV9YuyjGgrxBhNIuMW5qX1D2jT7YapuC94iEXPigCPm3M4siNvIFVbuWeXnY39Gv61SgcvMVHRw54x19Vq0rZoOjQ88mH+/tT9xiwdysCEcPtzmdo6EsbH47ZSBeqeg0Pt4rQ8mhDkrJ0xdRJJRDjXqN5/CY6GxmcV6Y6SIzTAYz66Ubvsc0d/KBgBard7Nv0DCNgh9uDabz44aAxQ5b9ZXAPDg+d49gSkiarm5pb9nDdoetLa X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?dE5QakF6bUlQMERuN0xtT0R3S0FjRmN1K1F4Sk4zVDBLNjFOc3N2Y0IvQXMw?= =?utf-8?B?Q1NOWWdlMGQ4MlN4ZkNOOGVqaDd0Mnk1THZJcUxkZHFlbXkyaVhCSllQbzNk?= =?utf-8?B?amtYKzQxbGZIZUdRd0lVYXVJRFk5dDZQQjVDbEZHZ284bitDdXM0K2lUV3ZL?= =?utf-8?B?b2lzNmlNK1BPb1pkVk1rWWJpOFF1b2lCclpTTmtiS2l3dDZDVldHdHBaK1FE?= =?utf-8?B?Skc0cE1pRmRMMUtHaHIxeVRYWEtxdlVFbzVOZnhTVDR3V2dDQ2psVGJUVmRX?= =?utf-8?B?T3c1NnlBQ3RhOHBoWUkzZ3FYQXFFc1ZZWDRkY2dWUFVsT1VOWlE1Mnoxd3FV?= =?utf-8?B?cTNneDVnZGEreDlGWlN5T0hkdGMrM0hTekd2YnRBVGc3M2FOdUFab0Z2enF1?= =?utf-8?B?eDladTBlQmx6clM4aDNzK3NJZy9LZ0lJcmNXRkdEM1ZlYmZBRXpwS0krSmox?= =?utf-8?B?aGczRnEwbU9CdSthbFFMWFV0VTV5RlFyY2taaktTNjdYNk8ySGdvdUpLbk1z?= =?utf-8?B?cDA5amZKSXl4eDd1WVhCRitQUFhjaHZWclZNTVhUaVdoK21kSW9CYVVrUVhL?= =?utf-8?B?cEVxSTZma2dQSGRNOExTR3g0cjBMWEY4U0JPLzkxVENsQUQzRUEweURrVDdD?= =?utf-8?B?VVdpUnJ3d3h5MVphcCtEVmtUQWUyYThkSHlXQWtIMUtibHltNnIzemF3N3Vh?= =?utf-8?B?OHFwTnVDVE5PMXlMcllDTXMySUVSZGVZZW1EQTJRZUQ0QzJJaFIwS0ZLYWM0?= =?utf-8?B?anp2Um5iQTl2UTYwR2pjRUlaTk9rN3lQdVlHOVdaby9zbjhzNGp2cE5oRlBH?= =?utf-8?B?ZVVFTXdNSTloN09leE1CWUNpZVZOSFZQVjVQNzR4NThXU25uWE91UWpsamFX?= =?utf-8?B?NVdxbGIxcTl2WHpLZmFVUXhsMndlbTVOSld5bWorQkt0UmtlRzZmUWNiK2xV?= =?utf-8?B?ZXBsUVlXakN0eWtCUVdqa3Vud2Z4RXo1L2xqcVBxUUtVNHUxWG95UE1MYkph?= =?utf-8?B?dWx3Y1dsZjVwNFlUWjAvYmovajZEYnJyVlpabGdzMTJvSEw3Wi9aY2p0N095?= =?utf-8?B?dFlUZ1FKZldFV2dtQ2RQM1BJR0FGcmh1RFI3bURwVW5VVjR0QmlkZUhnVW5U?= =?utf-8?B?YkkwL3BFOXlTbW1VQ0ErVTYxSFhXWFNYOGJ0R0NYWWtoRTJEazFSM3JnQUdG?= =?utf-8?B?c2FLRzQ0Y2x1Q3FkV1dZMHgwdWdLQXhLTEtBcm1uYnJMdmMwZG5BdnJOZXo5?= =?utf-8?B?ZlB6aGk4WkdtVG16T2NtMzVWR2xJcG9ZWUhuV3FLVmtxNlJIbmR6SXRHSEd0?= =?utf-8?B?STM3NFRqcjYwZWFxMll1MTREL0paRU9kcnVJczhyMXZxN0R1WUFCRXp2Tkpj?= =?utf-8?B?eC8rT0VQU2E1S3lZejJYMm9UeGg1WDI1VTR0c2RISkJHL0hkdzUyamdxUm9u?= =?utf-8?B?c2lHOWFvMGd5ZFpGQm44azN2N21uellRS0pqT3ozSk9DMU9MZnlZZ2JsV2RP?= =?utf-8?B?elBrWTl1RFNWeDFyamtTREszQUFhek5Ka2tCd2h1ejBCTVNFR29ET2RYcE1u?= =?utf-8?B?L3dOQVdWMG16L0lXUmZVL2FzV0Q0UVo3Ly9sV3BEYXFMRDRkOU5NNmMwQkZJ?= =?utf-8?B?ZTcvS0lzT0ZvMmJ5UWMrSUJDejhxaGQ5NUo2OUtwN2FhVm81Q3FDc1h6TEFK?= =?utf-8?B?YnpzUm5EcWgvSmlEMllvRHRQd1FISDN2S0oxQTJuR0pZcGg1bUtpVzRnPT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b711472e-78e0-4f88-23da-08da869508cf X-MS-Exchange-CrossTenant-AuthSource: PRAP251MB0567.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Aug 2022 12:26:28.5512 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P251MB0119 X-Rspamd-Queue-Id: 4MD2JQ0tBJz4322 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=outlook.com header.s=selector1 header.b="Zg/211rO"; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=outlook.com; spf=pass (mx1.freebsd.org: domain of clopmz@outlook.com designates 40.92.59.10 as permitted sender) smtp.mailfrom=clopmz@outlook.com X-Spamd-Result: default: False [-0.62 / 15.00]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; NEURAL_HAM_SHORT(-0.99)[-0.985]; NEURAL_HAM_MEDIUM(-0.90)[-0.899]; NEURAL_HAM_LONG(-0.77)[-0.767]; R_MIXED_CHARSET(0.53)[subject]; DMARC_POLICY_ALLOW(-0.50)[outlook.com,none]; R_DKIM_ALLOW(-0.20)[outlook.com:s=selector1]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_FROM(0.00)[outlook.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[outlook.com:dkim]; FREEMAIL_ENVFROM(0.00)[outlook.com]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[outlook.com:+]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org,freebsd-net@FreeBSD.org] X-ThisMailContainsUnwantedMimeParts: N On 25/08/2022 12:20, Michael Gmelin wrote: > > > On Thu, 25 Aug 2022 10:48:45 +0200 > Carlos López Martínez wrote: > >> Hi all, >> >> I am tryping to rate limit public connections for certain services to >> avoid brutforce attacks under a FreeBSD 13.1 firewall. Under OpenBSD >> is "pretty simple" with a rule like: >> >> table persist >> block quick from >> pass inet proto tcp from ! to (egress:0) port >> $tcp_services \ >> flags S/SA keep state \ >> (max-src-conn 100, max-src-conn-rate 15/5, \ >> overload flush global) rdr-to $internal_server >> >> But under Freebsd when I try to combine "pass" with "rdr" rules, it >> doesn't works. For example: >> >> rdr on egress inet proto tcp from ! to egress port >> $tcp_services -> $internal_server >> >> pass in on egress inet proto tcp from ! to >> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn >> 100, max-src-conn-rate 15/5, overload flush global) >> >> Any idea about what am I doing wrong? > > Your pass rule won't match the rdr rule, as it is matched *after* > rdr was applied. So at this point the target address is not egress:0, > anymore, but $internal_server. > > If your traffic passes anyway, it's probably matched by some other more > general rule. > > You could simplify your config by using tags, which could look like > this: > > rdr on egress inet proto tcp from ! to \ > egress port $tcp_services tag pass_rate_limit -> $internal_server > > pass in quick flags S/SA keep state (max-src-conn 100, \ > max-src-conn-rate 15/5, overload flush global) \ > tagged pass_rate_limit > > Using the "pass quick" rule early in your pf.conf will make sure it is > applied instead of other matching rules. > > Cheers > Michael > It is working now using "rdr on egress... tag..." and "pass in quick .... tagged ...." Many thanks Michael and kaycee -- Best regards, C. L. Martinez