From owner-freebsd-pf@FreeBSD.ORG Fri May 18 16:54:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C910516A405 for ; Fri, 18 May 2007 16:54:20 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.243]) by mx1.freebsd.org (Postfix) with ESMTP id 85BEC13C448 for ; Fri, 18 May 2007 16:54:20 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so237928and for ; Fri, 18 May 2007 09:54:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lfbYfgfdYpUG19HG0gHY/m6/J+5Ea7eewp2IK728XkyhOO55RSKNdomCruqFkPHyZVPMBkcvY2+JphHtonN1QNvdmlUiMNjBCbUAIoOrMeLshxbAiCHHQMpeHTrRpNcqeieM+ad/1HeAspChpeO8jY679VZ+vrvvjYZQ8bu4zh4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tthHAR7SpLcgBHuOspUK7WObGw7/NMS/BH/kOTdQXLFbOCKrjoO/8/MhFmiQdQiM7YbNtnZxnFf8EUedTgjIxnt08b6K+OVfsBaMEvFRf/QSTX+Yng6iw1UrHbjx0qn9SCvgyGfKZXw1OGccva7/u7ciU/Uv7MjSh15C55UGYk4= Received: by 10.100.207.16 with SMTP id e16mr1279539ang.1179507259686; Fri, 18 May 2007 09:54:19 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 18 May 2007 09:54:19 -0700 (PDT) Message-ID: <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> Date: Fri, 18 May 2007 19:54:19 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 16:54:20 -0000 On 5/18/07, Kian Mohageri wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri wrote: > > Thank you for the tip. > > > > Here what I'm using which fixed the issue. > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > flags S/SA synproxy state > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > flags S/SA keep state \ > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > overload flush global) > > pass out proto tcp to any keep state > > > > Comments? > > The first rule won't match anything (same criteria as second rule, and > last match wins with pf). On the third rule, use 'flags S/SA' unless > you have a good reason not to. > > Kian > I thought first rule will defeat syn flood. Is the second rule going to do the same job as first rule and will prevent syn flood? As for the third rule syntax, Should I make it like this? "pass out proto tcp to any flags S/SA keep state" and shall I add the same for udp? "pass out proto udp to any flags S/SA keep state" ? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/