question about max-src-conn and max-src-conn-rate
valentin.bud at gmail.com
Wed Jul 15 13:19:03 UTC 2009
On Tue, Jul 14, 2009 at 6:12 PM, Tony <ghostsniper007 at hotmail.com> wrote:
> Below is a packet filter snippet from my config file:
> block drop log quick from <brute>
> pass in quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA
> keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush
> pass out quick on $int_if proto tcp from any to <webs> port 80 flags S/SA
> keep state
> pass out quick on $ext_if proto tcp from <webs> port 80 to any flags
> SA/SA keep state
> pass in quick on $int_if proto tcp from <webs> port 80 to any flags
> SA/SA keep state
> Question 1:
> Should the bruteforce rules be on each line, or just that first one?
> Question 2:
> If they should be on each line, should I multiply the values (80, 200/2) by
> 4 ?
> Question 3:
> Are the rates I'm using reasonable? blocking should be on the loose side
> I'm open to any thoughts, opinions or screams on best practices
> Attention all humans. We are your photos. Free us.
> freebsd-pf at freebsd.org<http://go.microsoft.com/?linkid=9666046_______________________________________________%0Afreebsdemail@example.com>mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
First i will "draw" a diagram of your network to see if i get it right.
>From your post what i think you want to accomplish is: to restrict
connections to WEB_SRV to
200 conns in 2 seconds and a maximum of 80 connections from one source IP.
If any one of
those conditions are met overload the table <brute> with that IP and flush
all the states that
Now the questions is: do you want the above conditions to apply to traffic
from both INTERNET and
LAN or only to traffic coming from INTERNET/LAN.
If the conditions should apply only for traffic coming from internet the
block drop log quick from <brute>
pass in quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA
keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush
pass in quick on $int_if proto tcp from <webs> port 80 to any flags S/SA
No need for "pass out" rules because of the *keep state* keyword which tells
to allow outgoing traffic to IPs that already established a connection with
WEB_SRV on port
So the answer to "Question 1" is: *depends *and *no
*You don't need the "pass out" rules so no need to repeat the brute force
Now it depends, if you want the same policy to apply to traffic coming in
from LAN you
must add the brute force rule (i guess you meant the "max-src-conn ..."
part) to the rule
that applies to traffic coming in $int_if.
You don't have to multiply the values by nothing if you want to limit the
coming from one source IP to 80 and no more than 200 conns in 2 seconds for
traffic coming in from both directions. You can change them as you need.
want to limit the maximum connections from one LAN IP to 120 and no more
50/2 you would change the rule applied to $int_if.
Now this depends on the amount of incoming connections coming in from one
For example if a visitor tries to open 81 connections at the same time and
to let that happen you must increase the max-src-conn to something above 81.
The same applies to max-src-conn-rate.
I suggest you (re)read the pf faq from openbsd website (
and there is a great book of pf - The Book of PF, Peter N.M. Hansteen which
i kindly suggest
you should read so you get a better understanding of pf overall.
a great day,
network warrior since 2005
More information about the freebsd-pf