question about max-src-conn and max-src-conn-rate

Torsten Kersandt torsten at cnc-london.net
Thu Jul 16 02:47:19 UTC 2009


HI
I know that many people disagree with this but I would not block any
outgoing requests front the gateway in the first place:
As in:
pass out quick keep state

regards
Torsten

-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On
Behalf Of Tony B
Sent: 16 July 2009 03:36
To: Valentin Bud
Cc: freebsd-pf at freebsd.org
Subject: Re: question about max-src-conn and max-src-conn-rate

thank you for the reply, 


This is the network layout I have:


INTERNET-----($ext_if)[firewall/gateway]($int_if)-------[webservers on lan]

Does that change must as per the suggestions ?

I would need the pass out rules if the webservers executed a CURL or wget,
correct ?


Can someone suggest a max-src-conn-rate that would identify an attack?  all
the online examples are far too strict.









From: Valentin Bud 
Sent: Wednesday, July 15, 2009 9:18 AM
To: Tony 
Cc: freebsd-pf at freebsd.org 
Subject: Re: question about max-src-conn and max-src-conn-rate





On Tue, Jul 14, 2009 at 6:12 PM, Tony <ghostsniper007 at hotmail.com> wrote:


  Below is a packet filter snippet from my config file:



  block drop log quick from <brute>
  ...
  pass in  quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA
keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush
global)
  pass out quick on $int_if proto tcp from any to <webs> port 80 flags S/SA
keep state

  pass out quick on $ext_if proto tcp from <webs> port 80   to any flags
SA/SA keep state
  pass in  quick on $int_if proto tcp from <webs> port 80   to any flags
SA/SA keep state




  Question 1:
  Should the bruteforce rules be on each line, or just that first one?



  Question 2:
  If they should be on each line, should I multiply the values (80, 200/2)
by 4 ?



  Question 3:
  Are the rates I'm using reasonable? blocking should be on the loose side




  I'm open to any thoughts, opinions or screams on best practices

  _________________________________________________________________
  Attention all humans. We are your photos. Free us.
 
http://go.microsoft.com/?linkid=9666046_____________________________________
__________
  freebsd-pf at freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-pf
  To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"


Hello Tony,

 First i will "draw" a diagram of your network to see if i get it right.

INTERNET-----($ext_if)[WEB_SRV]($int_if)-------LAN

>From your post what i think you want to accomplish is: to restrict
connections to WEB_SRV to 
200 conns in 2 seconds and a maximum of 80 connections from one source IP.
If any one of
those conditions are met overload the table <brute> with that IP and flush
all the states that
IP created.

Now the questions is: do you want the above conditions to apply to traffic
from both INTERNET and
LAN or only to traffic coming from INTERNET/LAN.

If the conditions should apply only for traffic coming from internet the
following
does that:

block drop log quick from <brute>

pass in quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA
keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush
global)

pass in quick on $int_if proto tcp from <webs> port 80  to any flags S/SA
keep state

No need for "pass out" rules because of the keep state keyword which tells
the firewall
to allow outgoing traffic to IPs that already established a connection with
WEB_SRV on port
80.

So the answer to "Question 1" is: depends and no
You don't need the "pass out" rules so no need to repeat the brute force
rule :).
Now it depends, if you want the same policy to apply to traffic coming in
from LAN you
must add the brute force rule (i guess you meant the "max-src-conn ..."
part) to the rule
that applies to traffic coming in $int_if.

Question 2
You don't have to multiply the values by nothing if you want to limit the
connections 
coming from one source IP to 80 and no more than 200 conns in 2 seconds for 
traffic coming in from both directions. You can change them as you need.
Suppose you
want to limit the maximum connections from one LAN IP to 120 and no more
than
50/2 you would change the rule applied to $int_if.

Question 3
Now this depends on the amount of incoming connections coming in from one
source IP.
For example if a visitor tries to open 81 connections at the same time and
you wish
to let that happen you must increase the max-src-conn to something above 81.
The same applies to max-src-conn-rate. 

I suggest you (re)read the pf faq from openbsd website
(http://openbsd.org/faq/pf/filter.html)
and there is a great book of pf - The Book of PF, Peter N.M. Hansteen which
i kindly suggest
you should read so you get a better understanding of pf overall.

a great day,
v
-- 
network warrior since 2005
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"




More information about the freebsd-pf mailing list