Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?

Le Thu, 25 Aug 2022 11:32:57 +0200,
Carlos López Martínez <clopmz@outlook.com> a écrit :

> On 25/08/2022 11:26, Marek Zarychta wrote:
> > W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze:  
>  [...]  
> > 
> > rdr comes first, so probably the second rule should be:
> > pass in on egress inet proto tcp from !<internal_networks> to 
> > {(egress:0), $internal_server} port ...
> > or maybe only:
> > pass in on egress inet proto tcp from !<internal_networks> to 
> > $internal_server port ...
> > depending on the desired behavior and the complete set of rules.
> > 
> > It's also worth mentioning here that PF-specific FreeBSD mailing list 
> > exists: freebsd-pf@freebsd.org
> > 
> > Regards,  
> 
> Thanks Marek ... But if rdr comes first, pass rule will be not applied 
> right? I mean, how can I apply rate limiting options "flags S/SA keep 
> state (max-src-conn 100...." in a rdr rule?
> 
> 

Hi,

It should be applied. 

If you have a rdr pass ... rule you can't apply options like rate limiting
IIRC. 

As Marek said, you need both rdr and pass rules and his example seems good. 

You rdr rule with
> > or maybe only:
> > pass in on egress inet proto tcp from !<internal_networks> to 
> > $internal_server port ...

Is what I would do. Have you tried it ?

Or maybe a "pass in quick ..." variant. I'm a fan of quick option. 

Another option would be to use tag option
rdr on egress ... tag INTSERVICES -> ...

pass in on egress tagged INTSERVICES flags ... 

or with quick option

pass in quick on egress tagged INTSERVICES flags ... 

Hope that helps. 

K.