Date: Wed, 15 Jul 2009 16:18:41 +0300 From: Valentin Bud <valentin.bud@gmail.com> To: Tony <ghostsniper007@hotmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: question about max-src-conn and max-src-conn-rate Message-ID: <139b44430907150618y32473898i3a245c627c7091f2@mail.gmail.com> In-Reply-To: <COL106-W36D87D1E308A510FBE56078C230@phx.gbl> References: <COL106-W36D87D1E308A510FBE56078C230@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 14, 2009 at 6:12 PM, Tony <ghostsniper007@hotmail.com> wrote: > > Below is a packet filter snippet from my config file: > > > > block drop log quick from <brute> > ... > pass in quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA > keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush > global) > pass out quick on $int_if proto tcp from any to <webs> port 80 flags S/SA > keep state > > pass out quick on $ext_if proto tcp from <webs> port 80 to any flags > SA/SA keep state > pass in quick on $int_if proto tcp from <webs> port 80 to any flags > SA/SA keep state > > > > > Question 1: > Should the bruteforce rules be on each line, or just that first one? > > > > Question 2: > If they should be on each line, should I multiply the values (80, 200/2) by > 4 ? > > > > Question 3: > Are the rates I'm using reasonable? blocking should be on the loose side > > > > > I'm open to any thoughts, opinions or screams on best practices > > _________________________________________________________________ > Attention all humans. We are your photos. Free us. > > http://go.microsoft.com/?linkid=9666046_______________________________________________ > freebsd-pf@freebsd.org<http://go.microsoft.com/?linkid=9666046_______________________________________________%0Afreebsd-pf@freebsd.org>mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hello Tony, First i will "draw" a diagram of your network to see if i get it right. INTERNET-----($ext_if)[WEB_SRV]($int_if)-------LAN >From your post what i think you want to accomplish is: to restrict connections to WEB_SRV to 200 conns in 2 seconds and a maximum of 80 connections from one source IP. If any one of those conditions are met overload the table <brute> with that IP and flush all the states that IP created. Now the questions is: do you want the above conditions to apply to traffic from both INTERNET and LAN or only to traffic coming from INTERNET/LAN. If the conditions should apply only for traffic coming from internet the following does that: block drop log quick from <brute> pass in quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush global) pass in quick on $int_if proto tcp from <webs> port 80 to any flags S/SA keep state No need for "pass out" rules because of the *keep state* keyword which tells the firewall to allow outgoing traffic to IPs that already established a connection with WEB_SRV on port 80. So the answer to "Question 1" is: *depends *and *no *You don't need the "pass out" rules so no need to repeat the brute force rule :). Now it depends, if you want the same policy to apply to traffic coming in from LAN you must add the brute force rule (i guess you meant the "max-src-conn ..." part) to the rule that applies to traffic coming in $int_if. Question 2 You don't have to multiply the values by nothing if you want to limit the connections coming from one source IP to 80 and no more than 200 conns in 2 seconds for traffic coming in from both directions. You can change them as you need. Suppose you want to limit the maximum connections from one LAN IP to 120 and no more than 50/2 you would change the rule applied to $int_if. Question 3 Now this depends on the amount of incoming connections coming in from one source IP. For example if a visitor tries to open 81 connections at the same time and you wish to let that happen you must increase the max-src-conn to something above 81. The same applies to max-src-conn-rate. I suggest you (re)read the pf faq from openbsd website ( http://openbsd.org/faq/pf/filter.html) and there is a great book of pf - The Book of PF, Peter N.M. Hansteen which i kindly suggest you should read so you get a better understanding of pf overall. a great day, v -- network warrior since 2005
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?139b44430907150618y32473898i3a245c627c7091f2>