PF and GeoIP to update country table?

Volker volker at
Wed May 9 16:38:42 UTC 2007

On 05/09/07 17:23, Abdullah Ibn Hamad Al-Marri wrote:
>> unfortunately I'm unable to imagine if it's nice or really, really bad
>> idea to block certain countries. It sounds like a chinese wall. If the
>> machine in question is a web server, it might be a hardly bad idea and
>> would lead into another dimension of separating the world.
> There are Arabs and ppl speak and read Arabic in the other countries
> but I have to lose them since the forum is getting 24/7 days hits by
> Arabic script kiddies who think they are elite and will flood it with
> fake http requests which kills the MySQL server right away.
> The problem is they have tons of bots run in m$ systems, and I have
> only 2 choices.
> Shut down the forum, or block other countries IPs, if you were in my
> place what would you do?


how do these attacks look like? Is it script driven MASS-posting? How

You may probably use pf's ability to set per IP triggers (ie if a
single IP address is opening too much tcp connections in a time frame,
you may block that). If these scripts are running not too often
against your web server, this is not of use for you.

As I understand, these script kiddies are trying to automagically post
into your forum. What about requiring graphical confirmation before
the post is accepted? That way, you're letting legitimate users in
from around the world but keep robots out. If you're using something
like phpBB, there are (anti spam) modules for graphical confirmation.

Again, the best solution (balanced between your concerns and
legitimate use for all people) depends on how these attacks against
your forum does look like. If there are frequent accesses from the
same set of IP addresses, you may use pf. Otherwise this should be
blocked by your forum software. Arabic people are really around the world.

If you want to try pf's trigger functionality (see "stateful tracking
options" in pf.conf(5) ), keep in mind that every http request (html
pages, graphics etc.) may lead into may single tcp connections. This
means, don't set the limits too short before blocking an IP address.



More information about the freebsd-pf mailing list