From nobody Thu Aug 25 10:16:18 2022 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCzQf1zdlz4Z9mG; Thu, 25 Aug 2022 10:16:42 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-oln040092074051.outbound.protection.outlook.com [40.92.74.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCzQd2mvGz3pPf; Thu, 25 Aug 2022 10:16:41 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iqV8fHRRhHm0y9nlsM5EW6NkFI7O2V92ExfrG8dgT/JVMueX+Z1BUUTwTdZgLSxY2XwN6c4WZPd068SLFYLR4E7X7Vt4R8qsyBCuxZuRFDxO1psq9dOYiVyMGB5c5pavSVKXqS1icb2aAxt2gCpakM6uNiM2gWd/Dm6dPtqNjn2sTuPEKnp2ZSqUlbzgp3+m+/t6fJArVijSWpVLXcEqmP/BjQkL4GXZPbIqtXOkeQ4awRwrYtawbEnNMYfHg2NpWDd8+daMlR55Va3kbclxeb4qji1f4uB3+9cfm6OnA8O4L0u8Lh1iWSsTYDcRofxqm91XGKkbqpqR14M0J5tx7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iUVslDciXK9gdLc6ufr/UCxYyxGvk8PfAxpMDxLdF/Q=; b=CMGW8jwZEPLvw4Vs4p0Ilmlb6swRJdtd3AB0sSZWCNyIWqmg7cSyPbdOB4cKE5SC/OnH3g1MmkbR+jrvXnBYlaYXjj+CsdQSxVym61UxfoVcbKl8s2YGj8ztNWv6cchjyQdppsR9zFlf8EMjfM08JNCBylEzgAeDeO2qSacsMoKN/S8mj3o9j4tB3BPnDUIWz2AlEBwM9PuXROMminbj1Ro1VMsC3AhS2fh05BHLOlMSdTyX3Y3yDxYebaAwFJM3iDYFn3OYzPmB6aL67kdBd/sqTPnfSdYD3KDVGRAJRxVxZHqnGpA8a3gGEbnzzyDNb188obUn46P+2g/DkQK7zA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from HE1PR0402MB3452.eurprd04.prod.outlook.com (2603:10a6:7:82::29) by DB7PR04MB5131.eurprd04.prod.outlook.com (2603:10a6:10:1c::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.15; Thu, 25 Aug 2022 10:16:39 +0000 Received: from HE1PR0402MB3452.eurprd04.prod.outlook.com ([fe80::a12a:8828:18bb:d606]) by HE1PR0402MB3452.eurprd04.prod.outlook.com ([fe80::a12a:8828:18bb:d606%4]) with mapi id 15.20.5546.022; Thu, 25 Aug 2022 10:16:39 +0000 Date: Thu, 25 Aug 2022 12:16:18 +0200 From: kaycee gb To: freebsd-pf@freebsd.org Cc: freebsd-net@FreeBSD.org Subject: Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13? Message-ID: In-Reply-To: References: <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl> X-Mailer: Claws Mail 3.17.6 (GTK+ 2.24.31; x86_64-slackware-linux-gnu) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TMN: [285SSq85CTvse9ofJXzUC8sK6O26nqBI] X-ClientProxiedBy: FR3P281CA0010.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1d::9) To HE1PR0402MB3452.eurprd04.prod.outlook.com (2603:10a6:7:82::29) X-Microsoft-Original-Message-ID: <20220825121618.3a4d0107@slackstro.home.lan> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 12d6e17e-c0ea-44f2-eeaf-08da8682e605 X-MS-TrafficTypeDiagnostic: DB7PR04MB5131:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KCg6f2S8HwS3VxC91Co91FP8ZzS3dDd/0awNXZSanL36Xw33O44yr9h5YIccD/Ze6z7rBmsF6pFn18z+aDieAFyuLhnUWHXRlCdkr62+RKDhyNeK84yM1VauCVFrzun6Cpg/pYdWeo6r5sTXg3ItlrsHj8ewUBwV2O+tVIkE2bxKU3XK+rySNzG7fG/Y9S/s22X8D5lNUgtpE2/CzVE2rcyblUwqheJB+0pMn+/KThFtfmEEFIyfAzHMCHT6mnp25dsv+A/IiTKuHoXSjXrYLtazhpndLk1/mJWfXOXQKCG/xejz+tFUagcGMqkkU9Y/kGg1QpF+Xj31yOR6ppwgfDqC8tFX5EpI9PtszJY3UDJ3DbbqCVJLDx/OVa0uRncLu5osIOBGHyTRQWnJz3QEBNSPAiB92QNhUQ31bDJHfE57wKkpEjysNpHgsRlR2h9AyiOgqQ98oL8GqPtGUMHYUo1OYwVbZU+4JZ8znTRIjxJJ3P9kpbPXhiuLDHHqT79bVKOAw/5W51epFeyuH/t0njlqSxqFBVRCiFNO/jOWh5gIva4OyNs2s4Lc+aWsY3gfWps7XpYc1+hshk1Z1KBX0herBRqfeaHiNHZ232yzRchPCWXN1mat0SN4kfaFCPOQQMhL/UY5L1aSSEldMCK7SsKqAFCzsu1D1nUF6nSVJJVaENkoIsUjf/9wC9QX/m+i X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?YXUxOTQyK2VUSWJRRGUrTXZPSzhZUzlHcmMxVGRGVThBbU9iTUFwU3loMHkz?= =?utf-8?B?NS9XU2pPUkxHQ2tEVElaN3gvUkREU1pwc2tWa0VUTEJ6UkltM1NQUmQ3Q3l6?= =?utf-8?B?dlJUY3pkZGk3S1B5dlY2UHJ4RHJvMFJaL08vd3IzM2d5U1BjVG04VGVLeU5H?= =?utf-8?B?MFpyNGZWM3E5ZHpSM1ZMbW9PV2RLVERuYmtaK3FXTC95QjkxcWxac0NlVjBx?= =?utf-8?B?N3Z0V2VWZmk2Z1d3YlRObkIrWGw5UVJNblptNUx4Q2UrbWNQSkp2OUp5a3hk?= =?utf-8?B?TExPUnFDejlCTlovVkphU0hmL2V6WWlCU2xYK24xOS83d0JBSVJFenJYOUFY?= =?utf-8?B?UDAwejkzZXR1ZzU0K3NpUW10ek1YYVZUdFJ6cFdUQnpOVDl3OWJscTZFM0RN?= =?utf-8?B?UDgxdnlQdUMvKzJBdmo2ZTR5ekZPRkVONmZ0Y1pWTVR1VTlkWlZQbHlyd05I?= =?utf-8?B?eVJQT0czcFBQeFpQTXdhRmRXbTg0bUVYT3k5bHorRVA1cjA2bEg1ekU0ek1h?= =?utf-8?B?TWpwTGhwbVV5WktxMUZXQ3Bmb24wVzBhd2tqdkEzRWpiOXRhQ21wQStReTdR?= =?utf-8?B?L3h4dEVqQ045SWU1SmtDclF6TTl4QXNXamZpVVBVTDNnWjZNR1JqdG9FTDNN?= =?utf-8?B?WFRQWWpnRG5OZUdkMFVRaDAzSWlDeTgrNkhOZFBRai92Yms0aDRGd0M1UmJz?= =?utf-8?B?UEQrbGdRYVlQZjhSY0pTWGRiei9IeUY5U1o0NGFTMFRNUGdmSFdXWmh2N1Ra?= =?utf-8?B?djVZVGVwMUl2TCtCTExJRk1OMzhPYTJ3Vit0cEgxeURaZTY2U3llTXdaWEpa?= =?utf-8?B?a3ZDajZsZ0ZoWFNEMkM0cGhwWkpsam9nZXJmcXJneTI4by9JK3ZGT1pOVjd2?= =?utf-8?B?VzVGZzJhYlZ5L0xRL1FkZHlLZDdReTFKQkV2N245RHV5SE9URWtQeHZFSGhZ?= =?utf-8?B?YWF3MFdzK01rbk1sL2swQVlVdHNBOVhONit1M2d5OTM1SFowU0tha1VyLzJB?= =?utf-8?B?Umdzcm02blluZytMbm9ieXlDRGhYclQ1QzNIc1BwYThjQXJkbU4zeXVOd3JE?= =?utf-8?B?V2ZLRkFVNmJxekl3RG90d01LSmZaZWtMSjBvSlBtNnlQN1ZJNklVdkpyU0FX?= =?utf-8?B?WkZ4YWJ3RENTazMyK1NWeEp5cFdUSCtqTk1aeHZLU2NvV1NPQjIvbi9ldURy?= =?utf-8?B?ME8zeW82ZzZNR2xRSjI1Q25hSzdId2c0dkJnM2JZa1hBa2R5SWcvSVNNY2FR?= =?utf-8?B?UTVlc2s2cVNSSTE5NU02TTNGeCtTcll1QUxRTHJHNEZrbGd1d3U0TS9CTkZX?= =?utf-8?B?OVpIWHBYQ3l0eDdHbjN1N0FlMUN5cVo3UDczYmVIczQrUkdhZEpLcmp5R3h4?= =?utf-8?B?ak13TVpZZjUxSlhjTTZqU3hSR2RENU41TGFBVmkwQll4c1FxRGttU0ZZTXk4?= =?utf-8?B?dURIdWtMMlpDK0U0RUNXeGViT0kzdnNjZDVpSkZCMmFMTk5adUt2bzQ0NG9w?= =?utf-8?B?TFBETXRqdVo0WE9nNlNkVDJydEYzc3VBMFk4RUsvUDlYaUhzbUlQWGlseVR3?= =?utf-8?B?dTFxcjZ2OHEwdjBDdWZMVUNSMDJNQ2V4a1BQU01EOVVWcm9kTXppZFV0Nm80?= =?utf-8?B?L1d4Ymx1UjQ0RXo2TlJ5MmZDYnlHUVp1TFY0L243L1FhbTFnajFJWWdQbXd5?= =?utf-8?B?U09wMHRDKzY3NS9TTzErajRQaHo3WEowM24zcDc5dURqWjd6cExNQkY2NzRP?= =?utf-8?Q?JalSTn2y5oMjSv+kNU=3D?= X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-03a34.templateTenant X-MS-Exchange-CrossTenant-Network-Message-Id: 12d6e17e-c0ea-44f2-eeaf-08da8682e605 X-MS-Exchange-CrossTenant-AuthSource: HE1PR0402MB3452.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Aug 2022 10:16:39.7958 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR04MB5131 X-Rspamd-Queue-Id: 4MCzQd2mvGz3pPf X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 40.92.74.51 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-3.44 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; NEURAL_HAM_SHORT(-0.98)[-0.978]; NEURAL_HAM_LONG(-0.92)[-0.920]; NEURAL_HAM_MEDIUM(-0.74)[-0.743]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org,freebsd-net@FreeBSD.org]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; RCVD_IN_DNSWL_NONE(0.00)[40.92.74.51:from]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; FREEMAIL_FROM(0.00)[hotmail.fr]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.92.74.51:from] X-ThisMailContainsUnwantedMimeParts: N Le Thu, 25 Aug 2022 11:32:57 +0200, Carlos L=C3=B3pez Mart=C3=ADnez a =C3=A9crit : > On 25/08/2022 11:26, Marek Zarychta wrote: > > W dniu 25.08.2022 o=C2=A010:48, Carlos L=C3=B3pez Mart=C3=ADnez pisze: = =20 > [...] =20 > >=20 > > rdr comes first, so probably the second rule should be: > > pass in on egress inet proto tcp from ! to=20 > > {(egress:0), $internal_server} port ... > > or maybe only: > > pass in on egress inet proto tcp from ! to=20 > > $internal_server port ... > > depending on the desired behavior and the complete set of rules. > >=20 > > It's also worth mentioning here that PF-specific FreeBSD mailing list=20 > > exists: freebsd-pf@freebsd.org > >=20 > > Regards, =20 >=20 > Thanks Marek ... But if rdr comes first, pass rule will be not applied=20 > right? I mean, how can I apply rate limiting options "flags S/SA keep=20 > state (max-src-conn 100...." in a rdr rule? >=20 >=20 Hi, It should be applied.=20 If you have a rdr pass ... rule you can't apply options like rate limiting IIRC.=20 As Marek said, you need both rdr and pass rules and his example seems good.= =20 You rdr rule with > > or maybe only: > > pass in on egress inet proto tcp from ! to=20 > > $internal_server port ... Is what I would do. Have you tried it ? Or maybe a "pass in quick ..." variant. I'm a fan of quick option.=20 Another option would be to use tag option rdr on egress ... tag INTSERVICES -> ... pass in on egress tagged INTSERVICES flags ...=20 or with quick option pass in quick on egress tagged INTSERVICES flags ...=20 Hope that helps.=20 K.