Date: Thu, 28 Jun 2007 14:00:44 +0300 From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com> To: "LI Xin" <delphij@delphij.net> Cc: FreeBSD PF Pro List <freebsd-pf@freebsd.org> Subject: Re: Flush ICMP and UDP flooders Message-ID: <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com> In-Reply-To: <468393F9.2030805@delphij.net> References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> <468393F9.2030805@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/28/07, LI Xin <delphij@delphij.net> wrote: > Abdullah Ibn Hamad Al-Marri wrote: > > Hello, > > > > I would like to block ICMP and UDP flooders who exceed a reasonable number. > > > > #- Rate Limit UDP (150 per host) > > pass proto udp to any port $udp_services keep state > > pass in quick proto udp from any to any \ > > keep state \ > > (max-src-conn 1,max-src-states 151, \ > > overload <DDoS> flush global) > > > > #- Rate Limit ICMP (10 per host) > > pass in quick proto icmp from any to any \ > > keep state \ > > (max-src-conn 1,max-src-states 11, \ > > overload <DDoS> flush global) > > I think ICMP and UDP can have their originating address forged, so this > will effectively construct a true remote triggerable DoS... > > Cheers, > -- > Xin LI <delphij@delphij.net> http://www.delphij.net/ > FreeBSD - The Power to Serve! Thank you Li, I set antispoof in my pf.conf for the nic, would these rule help or not? do you have suggestions about the values? I run bind on the servers. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499c70c0706280400p57a0ab78xd3b75d7857bca4b2>