How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?

Reply: Marek Zarychta : "Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?"
Reply: Michael Gmelin : "Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Carlos_López_Martínez <clopmz_at_outlook.com>
Date: Thu, 25 Aug 2022 08:48:45 UTC

Hi all,

I am tryping to rate limit public connections for certain services to 
avoid brutforce attacks under a FreeBSD 13.1 firewall. Under OpenBSD is 
"pretty simple" with a rule like:

table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from !<internal_networks> to (egress:0) port 
$tcp_services \
         flags S/SA keep state \
     (max-src-conn 100, max-src-conn-rate 15/5, \
          overload <bruteforce> flush global) rdr-to $internal_server

But under Freebsd when I try to combine "pass" with "rdr" rules, it 
doesn't works. For example:

rdr on egress inet proto tcp from !<internal_networks> to egress port 
$tcp_services -> $internal_server

pass in on egress inet proto tcp from !<internal_networks> to (egress:0) 
port $tcp_services flags S/SA keep state (max-src-conn 100, 
max-src-conn-rate 15/5, overload <bruteforce> flush global)

Any idea about what am I doing wrong?
-- 
Best regards,
C. L. Martinez