Best way to decrease DDoS with pf.
Drew Tomlinson
drew at mykitchentable.net
Fri May 18 10:36:04 PDT 2007
On 5/18/2007 9:54 AM Abdullah Ibn Hamad Al-Marri said the following:
> On 5/18/07, Kian Mohageri <kian.mohageri at gmail.com> wrote:
>
>> On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie at gmail.com> wrote:
>> > Thank you for the tip.
>> >
>> > Here what I'm using which fixed the issue.
>> >
>> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
>> > flags S/SA synproxy state
>> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
>> > flags S/SA keep state \
>> > (max-src-conn 30, max-src-conn-rate 30/3, \
>> > overload <bruteforce> flush global)
>> > pass out proto tcp to any keep state
>> >
>> > Comments?
>>
>> The first rule won't match anything (same criteria as second rule, and
>> last match wins with pf). On the third rule, use 'flags S/SA' unless
>> you have a good reason not to.
>>
>> Kian
>>
>
> I thought first rule will defeat syn flood.
>
> Is the second rule going to do the same job as first rule and will
> prevent syn flood?
>
> As for the third rule syntax, Should I make it like this?
>
> "pass out proto tcp to any flags S/SA keep state" and shall I add the
> same for udp?
>
> "pass out proto udp to any flags S/SA keep state" ?
AFAIK, no reason to set flags on udp traffic. Only tcp traffic has flags.
Cheers,
Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
More information about the freebsd-pf
mailing list