From owner-freebsd-ipfw@freebsd.org  Fri May  5 08:25:01 2017
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9CAAD5E94C
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Fri,  5 May 2017 08:25:01 +0000 (UTC) (envelope-from sd@mostnet.ru)
Received: from mail.rlan.ru (mail.rlan.ru [213.234.25.10])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6EA32AD9
 for <freebsd-ipfw@freebsd.org>; Fri,  5 May 2017 08:25:00 +0000 (UTC)
 (envelope-from sd@mostnet.ru)
Subject: Re: equivalent for pf's max-src-conn-rate in ipfw
To: Marco van Tol <marco@tols.org>, freebsd-ipfw@freebsd.org
References: <F6AA6A38-CA06-49E8-AD8D-F6D8E4C26523@tols.org>
From: Dmitry Selivanov <sd@mostnet.ru>
Message-ID: <e877e474-31ec-1244-8f75-bc5378431ba6@mostnet.ru>
Date: Fri, 5 May 2017 10:51:38 +0300
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <F6AA6A38-CA06-49E8-AD8D-F6D8E4C26523@tols.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 08:25:01 -0000

you can try using "limit src-addr" keyword and maybe tune net.inet.ip.fw.dyn_syn_lifetime.
See "Examples/DYNAMIC RULES" section at ipfw(8).

05.05.2017 0:46, Marco van Tol пишет:
> Hi there,
>
> Possibly this questions pops up regularly.  I have tried to find the answer myself and have been unable to so far.
>
> My current way to drastically slow-down ssh brute force attacks is by using the pf feature "max-src-conn-rate" with an argument of 5/60 meaning only 5 syn packets are allowed per source IP to my ssh port per minute.  The rest get dropped.  This works both for IPv4 and IPv6.  I typically don't login more then 5 times per minute to my hosts.
>
> I have tried several ways to get the same behaviour using ipfw and dummynet.  But when combining the rules with keep-state I don't get to the point where I get wire-speed ssh connections for those that make it while keeping the number of new connections per source IP at a very low number (a few per minute).
>
> Is there an equivalent in ipfw for the pf feature max-src-conn-rate?
>
> Thank you very much in advance, please keep cc'ing me as I have not subscribed to the ipfw list yet.