From owner-freebsd-pf@FreeBSD.ORG Thu Jul 16 02:37:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A134106564A for ; Thu, 16 Jul 2009 02:37:41 +0000 (UTC) (envelope-from ghostsniper007@hotmail.com) Received: from col0-omc3-s12.col0.hotmail.com (col0-omc3-s12.col0.hotmail.com [65.55.34.150]) by mx1.freebsd.org (Postfix) with ESMTP id 51B5D8FC17 for ; Thu, 16 Jul 2009 02:37:41 +0000 (UTC) (envelope-from ghostsniper007@hotmail.com) Received: from COL106-DS5 ([65.55.34.136]) by col0-omc3-s12.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Jul 2009 19:36:18 -0700 X-Originating-IP: [76.69.38.126] X-Originating-Email: [ghostsniper007@hotmail.com] Message-ID: From: "Tony B" To: "Valentin Bud" References: <139b44430907150618y32473898i3a245c627c7091f2@mail.gmail.com> In-Reply-To: <139b44430907150618y32473898i3a245c627c7091f2@mail.gmail.com> Date: Wed, 15 Jul 2009 22:36:21 -0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8064.206 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8064.206 X-OriginalArrivalTime: 16 Jul 2009 02:36:18.0269 (UTC) FILETIME=[328088D0:01CA05BE] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: question about max-src-conn and max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 02:37:41 -0000 thank you for the reply,=20 This is the network layout I have: INTERNET-----($ext_if)[firewall/gateway]($int_if)-------[webservers on = lan] Does that change must as per the suggestions ? I would need the pass out rules if the webservers executed a CURL or = wget, correct ? Can someone suggest a max-src-conn-rate that would identify an attack? = all the online examples are far too strict. From: Valentin Bud=20 Sent: Wednesday, July 15, 2009 9:18 AM To: Tony=20 Cc: freebsd-pf@freebsd.org=20 Subject: Re: question about max-src-conn and max-src-conn-rate On Tue, Jul 14, 2009 at 6:12 PM, Tony = wrote: Below is a packet filter snippet from my config file: block drop log quick from ... pass in quick on $ext_if proto tcp from any to port 80 flags = S/SA keep state (max-src-conn 80, max-src-conn-rate 200/2, overload = flush global) pass out quick on $int_if proto tcp from any to port 80 flags = S/SA keep state pass out quick on $ext_if proto tcp from port 80 to any flags = SA/SA keep state pass in quick on $int_if proto tcp from port 80 to any flags = SA/SA keep state Question 1: Should the bruteforce rules be on each line, or just that first one? Question 2: If they should be on each line, should I multiply the values (80, = 200/2) by 4 ? Question 3: Are the rates I'm using reasonable? blocking should be on the loose = side I'm open to any thoughts, opinions or screams on best practices _________________________________________________________________ Attention all humans. We are your photos. Free us. = http://go.microsoft.com/?linkid=3D9666046________________________________= _______________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Hello Tony, First i will "draw" a diagram of your network to see if i get it right. INTERNET-----($ext_if)[WEB_SRV]($int_if)-------LAN >From your post what i think you want to accomplish is: to restrict = connections to WEB_SRV to=20 200 conns in 2 seconds and a maximum of 80 connections from one source = IP. If any one of those conditions are met overload the table with that IP and = flush all the states that IP created. Now the questions is: do you want the above conditions to apply to = traffic from both INTERNET and LAN or only to traffic coming from INTERNET/LAN. If the conditions should apply only for traffic coming from internet the = following does that: block drop log quick from pass in quick on $ext_if proto tcp from any to port 80 flags S/SA = keep state (max-src-conn 80, max-src-conn-rate 200/2, overload = flush global) pass in quick on $int_if proto tcp from port 80 to any flags = S/SA keep state No need for "pass out" rules because of the keep state keyword which = tells the firewall to allow outgoing traffic to IPs that already established a connection = with WEB_SRV on port 80. So the answer to "Question 1" is: depends and no You don't need the "pass out" rules so no need to repeat the brute force = rule :). Now it depends, if you want the same policy to apply to traffic coming = in from LAN you must add the brute force rule (i guess you meant the "max-src-conn ..." = part) to the rule that applies to traffic coming in $int_if. Question 2 You don't have to multiply the values by nothing if you want to limit = the connections=20 coming from one source IP to 80 and no more than 200 conns in 2 seconds = for=20 traffic coming in from both directions. You can change them as you need. = Suppose you want to limit the maximum connections from one LAN IP to 120 and no more = than 50/2 you would change the rule applied to $int_if. Question 3 Now this depends on the amount of incoming connections coming in from = one source IP. For example if a visitor tries to open 81 connections at the same time = and you wish to let that happen you must increase the max-src-conn to something above = 81. The same applies to max-src-conn-rate.=20 I suggest you (re)read the pf faq from openbsd website = (http://openbsd.org/faq/pf/filter.html) and there is a great book of pf - The Book of PF, Peter N.M. Hansteen = which i kindly suggest you should read so you get a better understanding of pf overall. a great day, v --=20 network warrior since 2005