From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 11:00:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6995616A41F for ; Thu, 28 Jun 2007 11:00:45 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250]) by mx1.freebsd.org (Postfix) with ESMTP id 2920E13C4BD for ; Thu, 28 Jun 2007 11:00:45 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so117227anc for ; Thu, 28 Jun 2007 04:00:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pwhWlvqOXqbJp2xONVeAXfPnJ6fFaq/i0blOIH7iZw6q7Z6xw3KKXxqrheUdjAT/f+0elkYLn1XTUoDGH8HNBDjCqzLS1/DMjg490RLqRxihIGr64FWm7B6c+BYwtOecQNrVcaUakaWo1gl18m3d5qUM6X3YPnYLAWaZf71yX2g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VyhgBI8UbU/eBjimITTp69xc1aaUDieZk/Qqk4eRnBoiGLWjlBQugQ9mIC2oFjIUnQ2qzFV1r23zUyZFfYo9KwIvU6czakXQNUwEFlIEtBvqIR9BKnpsLG+lG7EdUj8a0//y/ho1Q5ly7Z7q3u5fHyE4vrrVbfhxJ9eLPKdFOwQ= Received: by 10.100.142.12 with SMTP id p12mr1036042and.1183028444492; Thu, 28 Jun 2007 04:00:44 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Thu, 28 Jun 2007 04:00:44 -0700 (PDT) Message-ID: <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com> Date: Thu, 28 Jun 2007 14:00:44 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "LI Xin" In-Reply-To: <468393F9.2030805@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> <468393F9.2030805@delphij.net> Cc: FreeBSD PF Pro List Subject: Re: Flush ICMP and UDP flooders X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 11:00:45 -0000 On 6/28/07, LI Xin wrote: > Abdullah Ibn Hamad Al-Marri wrote: > > Hello, > > > > I would like to block ICMP and UDP flooders who exceed a reasonable number. > > > > #- Rate Limit UDP (150 per host) > > pass proto udp to any port $udp_services keep state > > pass in quick proto udp from any to any \ > > keep state \ > > (max-src-conn 1,max-src-states 151, \ > > overload flush global) > > > > #- Rate Limit ICMP (10 per host) > > pass in quick proto icmp from any to any \ > > keep state \ > > (max-src-conn 1,max-src-states 11, \ > > overload flush global) > > I think ICMP and UDP can have their originating address forged, so this > will effectively construct a true remote triggerable DoS... > > Cheers, > -- > Xin LI http://www.delphij.net/ > FreeBSD - The Power to Serve! Thank you Li, I set antispoof in my pf.conf for the nic, would these rule help or not? do you have suggestions about the values? I run bind on the servers. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/