Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Marek Zarychta <zarychtam_at_plan-b.pwste.edu.pl>
Date: Thu, 25 Aug 2022 09:26:49 UTC

W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze:
> But under Freebsd when I try to combine "pass" with "rdr" rules, it 
> doesn't works. For example:
> 
> rdr on egress inet proto tcp from !<internal_networks> to egress port 
> $tcp_services -> $internal_server
> 
> pass in on egress inet proto tcp from !<internal_networks> to (egress:0) 
> port $tcp_services flags S/SA keep state (max-src-conn 100, 
> max-src-conn-rate 15/5, overload <bruteforce> flush global)

rdr comes first, so probably the second rule should be:
pass in on egress inet proto tcp from !<internal_networks> to 
{(egress:0), $internal_server} port ...
or maybe only:
pass in on egress inet proto tcp from !<internal_networks> to 
$internal_server port ...
depending on the desired behavior and the complete set of rules.

It's also worth mentioning here that PF-specific FreeBSD mailing list 
exists: freebsd-pf@freebsd.org

Regards,
-- 
Marek Zarychta