Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?
Date: Thu, 25 Aug 2022 09:46:30 UTC
W dniu 25.08.2022 o 11:32, Carlos López Martínez pisze:
>
>
> On 25/08/2022 11:26, Marek Zarychta wrote:
>> W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze:
>>> But under Freebsd when I try to combine "pass" with "rdr" rules, it
>>> doesn't works. For example:
>>>
>>> rdr on egress inet proto tcp from !<internal_networks> to egress port
>>> $tcp_services -> $internal_server
>>>
>>> pass in on egress inet proto tcp from !<internal_networks> to
>>> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn
>>> 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)
>>
>> rdr comes first, so probably the second rule should be:
>> pass in on egress inet proto tcp from !<internal_networks> to
>> {(egress:0), $internal_server} port ...
>> or maybe only:
>> pass in on egress inet proto tcp from !<internal_networks> to
>> $internal_server port ...
>> depending on the desired behavior and the complete set of rules.
>>
>> It's also worth mentioning here that PF-specific FreeBSD mailing list
>> exists: freebsd-pf@freebsd.org
>>
>> Regards,
>
> Thanks Marek ... But if rdr comes first, pass rule will be not applied
> right? I mean, how can I apply rate limiting options "flags S/SA keep
> state (max-src-conn 100...." in a rdr rule?
>
>
"rdr" needs "pass" at some point. Unfortunately, I know of no real
modern, decent PF-FAQ for FreeBSD. Probably digging the internet archive
would help find something more relevant like this Polish translation[1]
which hasn't been purged from SourceForge yet.
[1] http://openbsdpl.sourceforge.net/www/faq/pf/pl/rdr.html
--
Marek Zarychta