Date: Fri, 18 May 2007 23:53:48 +0300 From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com> To: "Kian Mohageri" <kian.mohageri@gmail.com> Cc: Volker <volker@vwsoft.com>, freebsd-pf@freebsd.org Subject: Re: Best way to decrease DDoS with pf. Message-ID: <499c70c0705181353y63c31c0dv55c5bdbbf259291c@mail.gmail.com> In-Reply-To: <fee88ee40705181202g7bc3df80v15122ae797217f19@mail.gmail.com> References: <464D6880.2080306@vwsoft.com> <499c70c0705180656l4f601c1av45b6f9989792ccf1@mail.gmail.com> <fee88ee40705180905q1017378ak588a2919dbec328b@mail.gmail.com> <499c70c0705180954y2dcd150cpbe8978ee3547a35c@mail.gmail.com> <fee88ee40705181202g7bc3df80v15122ae797217f19@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/18/07, Kian Mohageri <kian.mohageri@gmail.com> wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> wrote: > > On 5/18/07, Kian Mohageri <kian.mohageri@gmail.com> wrote: > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> wrote: > > > > Thank you for the tip. > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > flags S/SA synproxy state > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > flags S/SA keep state \ > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > overload <bruteforce> flush global) > > > > pass out proto tcp to any keep state > > > > > > > > Comments? > > > > > > The first rule won't match anything (same criteria as second rule, and > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > you have a good reason not to. > > > > > > Kian > > > > > > > I thought first rule will defeat syn flood. > > > > Is the second rule going to do the same job as first rule and will > > prevent syn flood? > > The rules are different obviously, but the criteria matches the same > traffic. Because PF will apply the last matching rule by default > (unless 'quick' is used), your first rule will never be applied. You > could use synproxy state on the second rule, and remove the first > entirely. > > > As for the third rule syntax, Should I make it like this? > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > same for udp? > > > > "pass out proto udp to any flags S/SA keep state" ? > > If you only want to pass UDP and TCP, then you can do something like this: > > pass out proto tcp to any flags S/SA keep state > pass out proto udp to any keep state > > Kian > Alright, can you give me synproxy in the first line entry? I tried to add it, and I get error. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499c70c0705181353y63c31c0dv55c5bdbbf259291c>