From owner-freebsd-pf@FreeBSD.ORG Wed Jul 15 13:19:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2110E106566C for ; Wed, 15 Jul 2009 13:19:03 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from mail-bw0-f208.google.com (mail-bw0-f208.google.com [209.85.218.208]) by mx1.freebsd.org (Postfix) with ESMTP id 642188FC14 for ; Wed, 15 Jul 2009 13:19:02 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by bwz4 with SMTP id 4so840511bwz.43 for ; Wed, 15 Jul 2009 06:19:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=II44eo3ORkvI4oeXMybQpaoE18fC8QilsrVAP5j2W3w=; b=lm4mUxQt4E783cYdTczivVIbbMUXmhJeZOUgyGX6Vwq+zxHR+oGiqP1ZSyEbzG4h8w +P+r8gV7YPxdyR9IG5deHL0vEUuJ8si59lInuFVtbT+iABbULiNew3Tsg+GXkAvn8yhe uqXtFqSx/9rXbQx/S9uTz/kF+LT8jndX7IWgQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=G6mItMANEHGvYuIHYhDAu58aCyboZteizbp3R+Bv3v711Hj8UnAQxhqG8iGXofRzi3 5Nq5o2rjeX5uHqsAxuCH0U2pXACnspsjV+PEeN7f4ZmwQrOeFRI8JJtBLiaVKRf3gfMS rRKXkJwJ5pCaKOtft3Op972cimQexY38+3Vfc= MIME-Version: 1.0 Received: by 10.223.105.9 with SMTP id r9mr3912230fao.66.1247663941093; Wed, 15 Jul 2009 06:19:01 -0700 (PDT) In-Reply-To: References: From: Valentin Bud Date: Wed, 15 Jul 2009 16:18:41 +0300 Message-ID: <139b44430907150618y32473898i3a245c627c7091f2@mail.gmail.com> To: Tony Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: question about max-src-conn and max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 13:19:03 -0000 On Tue, Jul 14, 2009 at 6:12 PM, Tony wrote: > > Below is a packet filter snippet from my config file: > > > > block drop log quick from > ... > pass in quick on $ext_if proto tcp from any to port 80 flags S/SA > keep state (max-src-conn 80, max-src-conn-rate 200/2, overload flush > global) > pass out quick on $int_if proto tcp from any to port 80 flags S/SA > keep state > > pass out quick on $ext_if proto tcp from port 80 to any flags > SA/SA keep state > pass in quick on $int_if proto tcp from port 80 to any flags > SA/SA keep state > > > > > Question 1: > Should the bruteforce rules be on each line, or just that first one? > > > > Question 2: > If they should be on each line, should I multiply the values (80, 200/2) by > 4 ? > > > > Question 3: > Are the rates I'm using reasonable? blocking should be on the loose side > > > > > I'm open to any thoughts, opinions or screams on best practices > > _________________________________________________________________ > Attention all humans. We are your photos. Free us. > > http://go.microsoft.com/?linkid=9666046_______________________________________________ > freebsd-pf@freebsd.orgmailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hello Tony, First i will "draw" a diagram of your network to see if i get it right. INTERNET-----($ext_if)[WEB_SRV]($int_if)-------LAN >From your post what i think you want to accomplish is: to restrict connections to WEB_SRV to 200 conns in 2 seconds and a maximum of 80 connections from one source IP. If any one of those conditions are met overload the table with that IP and flush all the states that IP created. Now the questions is: do you want the above conditions to apply to traffic from both INTERNET and LAN or only to traffic coming from INTERNET/LAN. If the conditions should apply only for traffic coming from internet the following does that: block drop log quick from pass in quick on $ext_if proto tcp from any to port 80 flags S/SA keep state (max-src-conn 80, max-src-conn-rate 200/2, overload flush global) pass in quick on $int_if proto tcp from port 80 to any flags S/SA keep state No need for "pass out" rules because of the *keep state* keyword which tells the firewall to allow outgoing traffic to IPs that already established a connection with WEB_SRV on port 80. So the answer to "Question 1" is: *depends *and *no *You don't need the "pass out" rules so no need to repeat the brute force rule :). Now it depends, if you want the same policy to apply to traffic coming in from LAN you must add the brute force rule (i guess you meant the "max-src-conn ..." part) to the rule that applies to traffic coming in $int_if. Question 2 You don't have to multiply the values by nothing if you want to limit the connections coming from one source IP to 80 and no more than 200 conns in 2 seconds for traffic coming in from both directions. You can change them as you need. Suppose you want to limit the maximum connections from one LAN IP to 120 and no more than 50/2 you would change the rule applied to $int_if. Question 3 Now this depends on the amount of incoming connections coming in from one source IP. For example if a visitor tries to open 81 connections at the same time and you wish to let that happen you must increase the max-src-conn to something above 81. The same applies to max-src-conn-rate. I suggest you (re)read the pf faq from openbsd website ( http://openbsd.org/faq/pf/filter.html) and there is a great book of pf - The Book of PF, Peter N.M. Hansteen which i kindly suggest you should read so you get a better understanding of pf overall. a great day, v -- network warrior since 2005