Date: Wed, 15 Jul 2009 22:36:21 -0400 From: "Tony B" <ghostsniper007@hotmail.com> To: "Valentin Bud" <valentin.bud@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: question about max-src-conn and max-src-conn-rate Message-ID: <COL106-DS5EE679C5F6E5593B2AAC48C210@phx.gbl> In-Reply-To: <139b44430907150618y32473898i3a245c627c7091f2@mail.gmail.com> References: <COL106-W36D87D1E308A510FBE56078C230@phx.gbl> <139b44430907150618y32473898i3a245c627c7091f2@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
thank you for the reply,=20 This is the network layout I have: INTERNET-----($ext_if)[firewall/gateway]($int_if)-------[webservers on = lan] Does that change must as per the suggestions ? I would need the pass out rules if the webservers executed a CURL or = wget, correct ? Can someone suggest a max-src-conn-rate that would identify an attack? = all the online examples are far too strict. From: Valentin Bud=20 Sent: Wednesday, July 15, 2009 9:18 AM To: Tony=20 Cc: freebsd-pf@freebsd.org=20 Subject: Re: question about max-src-conn and max-src-conn-rate On Tue, Jul 14, 2009 at 6:12 PM, Tony <ghostsniper007@hotmail.com> = wrote: Below is a packet filter snippet from my config file: block drop log quick from <brute> ... pass in quick on $ext_if proto tcp from any to <webs> port 80 flags = S/SA keep state (max-src-conn 80, max-src-conn-rate 200/2, overload = <brute> flush global) pass out quick on $int_if proto tcp from any to <webs> port 80 flags = S/SA keep state pass out quick on $ext_if proto tcp from <webs> port 80 to any flags = SA/SA keep state pass in quick on $int_if proto tcp from <webs> port 80 to any flags = SA/SA keep state Question 1: Should the bruteforce rules be on each line, or just that first one? Question 2: If they should be on each line, should I multiply the values (80, = 200/2) by 4 ? Question 3: Are the rates I'm using reasonable? blocking should be on the loose = side I'm open to any thoughts, opinions or screams on best practices _________________________________________________________________ Attention all humans. We are your photos. Free us. = http://go.microsoft.com/?linkid=3D9666046________________________________= _______________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Hello Tony, First i will "draw" a diagram of your network to see if i get it right. INTERNET-----($ext_if)[WEB_SRV]($int_if)-------LAN >From your post what i think you want to accomplish is: to restrict = connections to WEB_SRV to=20 200 conns in 2 seconds and a maximum of 80 connections from one source = IP. If any one of those conditions are met overload the table <brute> with that IP and = flush all the states that IP created. Now the questions is: do you want the above conditions to apply to = traffic from both INTERNET and LAN or only to traffic coming from INTERNET/LAN. If the conditions should apply only for traffic coming from internet the = following does that: block drop log quick from <brute> pass in quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA = keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> = flush global) pass in quick on $int_if proto tcp from <webs> port 80 to any flags = S/SA keep state No need for "pass out" rules because of the keep state keyword which = tells the firewall to allow outgoing traffic to IPs that already established a connection = with WEB_SRV on port 80. So the answer to "Question 1" is: depends and no You don't need the "pass out" rules so no need to repeat the brute force = rule :). Now it depends, if you want the same policy to apply to traffic coming = in from LAN you must add the brute force rule (i guess you meant the "max-src-conn ..." = part) to the rule that applies to traffic coming in $int_if. Question 2 You don't have to multiply the values by nothing if you want to limit = the connections=20 coming from one source IP to 80 and no more than 200 conns in 2 seconds = for=20 traffic coming in from both directions. You can change them as you need. = Suppose you want to limit the maximum connections from one LAN IP to 120 and no more = than 50/2 you would change the rule applied to $int_if. Question 3 Now this depends on the amount of incoming connections coming in from = one source IP. For example if a visitor tries to open 81 connections at the same time = and you wish to let that happen you must increase the max-src-conn to something above = 81. The same applies to max-src-conn-rate.=20 I suggest you (re)read the pf faq from openbsd website = (http://openbsd.org/faq/pf/filter.html) and there is a great book of pf - The Book of PF, Peter N.M. Hansteen = which i kindly suggest you should read so you get a better understanding of pf overall. a great day, v --=20 network warrior since 2005
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?COL106-DS5EE679C5F6E5593B2AAC48C210>