Date: Thu, 25 Aug 2022 14:26:26 +0200 From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= <clopmz@outlook.com> To: freebsd-pf@freebsd.org, freebsd-net@FreeBSD.org Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? Message-ID: <PRAP251MB0567459C38F07785FEDFC3D9DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM> In-Reply-To: <20220825122023.08491369.grembo@freebsd.org> References: <PRAP251MB0567D1AA046EAE25E55B64F2DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM> <20220825122023.08491369.grembo@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25/08/2022 12:20, Michael Gmelin wrote: > > > On Thu, 25 Aug 2022 10:48:45 +0200 > Carlos López Martínez <clopmz@outlook.com> wrote: > >> Hi all, >> >> I am tryping to rate limit public connections for certain services to >> avoid brutforce attacks under a FreeBSD 13.1 firewall. Under OpenBSD >> is "pretty simple" with a rule like: >> >> table <bruteforce> persist >> block quick from <bruteforce> >> pass inet proto tcp from !<internal_networks> to (egress:0) port >> $tcp_services \ >> flags S/SA keep state \ >> (max-src-conn 100, max-src-conn-rate 15/5, \ >> overload <bruteforce> flush global) rdr-to $internal_server >> >> But under Freebsd when I try to combine "pass" with "rdr" rules, it >> doesn't works. For example: >> >> rdr on egress inet proto tcp from !<internal_networks> to egress port >> $tcp_services -> $internal_server >> >> pass in on egress inet proto tcp from !<internal_networks> to >> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn >> 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) >> >> Any idea about what am I doing wrong? > > Your pass rule won't match the rdr rule, as it is matched *after* > rdr was applied. So at this point the target address is not egress:0, > anymore, but $internal_server. > > If your traffic passes anyway, it's probably matched by some other more > general rule. > > You could simplify your config by using tags, which could look like > this: > > rdr on egress inet proto tcp from !<internal_networks> to \ > egress port $tcp_services tag pass_rate_limit -> $internal_server > > pass in quick flags S/SA keep state (max-src-conn 100, \ > max-src-conn-rate 15/5, overload <bruteforce> flush global) \ > tagged pass_rate_limit > > Using the "pass quick" rule early in your pf.conf will make sure it is > applied instead of other matching rules. > > Cheers > Michael > It is working now using "rdr on egress... tag..." and "pass in quick .... tagged ...." Many thanks Michael and kaycee -- Best regards, C. L. Martinez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PRAP251MB0567459C38F07785FEDFC3D9DB729>