Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?

In reply to: Carlos_López_Martínez : "Re: How to apply brute force rate limitings with rdr and pass rules under FreeBSD 13?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Marek Zarychta <zarychtam_at_plan-b.pwste.edu.pl>
Date: Thu, 25 Aug 2022 10:16:59 UTC

W dniu 25.08.2022 o 12:06, Carlos López Martínez pisze:
> 
> 
> On 25/08/2022 11:46, Marek Zarychta wrote:
>> W dniu 25.08.2022 o 11:32, Carlos López Martínez pisze:
>>>
>>>
>>> On 25/08/2022 11:26, Marek Zarychta wrote:
>>>> W dniu 25.08.2022 o 10:48, Carlos López Martínez pisze:
>>>>> But under Freebsd when I try to combine "pass" with "rdr" rules, it 
>>>>> doesn't works. For example:
>>>>>
>>>>> rdr on egress inet proto tcp from !<internal_networks> to egress 
>>>>> port $tcp_services -> $internal_server
>>>>>
>>>>> pass in on egress inet proto tcp from !<internal_networks> to 
>>>>> (egress:0) port $tcp_services flags S/SA keep state (max-src-conn 
>>>>> 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)
>>>>
>>>> rdr comes first, so probably the second rule should be:
>>>> pass in on egress inet proto tcp from !<internal_networks> to 
>>>> {(egress:0), $internal_server} port ...
>>>> or maybe only:
>>>> pass in on egress inet proto tcp from !<internal_networks> to 
>>>> $internal_server port ...
>>>> depending on the desired behavior and the complete set of rules.
>>>>
>>>> It's also worth mentioning here that PF-specific FreeBSD mailing 
>>>> list exists: freebsd-pf@freebsd.org
>>>>
>>>> Regards,
>>>
>>> Thanks Marek ... But if rdr comes first, pass rule will be not 
>>> applied right? I mean, how can I apply rate limiting options "flags 
>>> S/SA keep state (max-src-conn 100...." in a rdr rule?
>>>
>>>
>>
>> "rdr" needs "pass" at some point. Unfortunately, I know of no real 
>> modern, decent PF-FAQ for FreeBSD. Probably digging the internet 
>> archive would help find something more relevant like this Polish 
>> translation[1] which hasn't been purged from SourceForge yet.
>>
>> [1] http://openbsdpl.sourceforge.net/www/faq/pf/pl/rdr.html
> 
> Uhmm ... maybe it is a bug? Or not implemented feture? If I put "rdr 
> pass on egress....." redirection works, but no rate limiting option is 
> applied ....
> 

Please take a look at pf.conf(5), it's still valid and relevant source 
of information how to master your ruleset. Try to separate "rdr" from 
"pass" and use two rules like before. The "pass" rule might have an 
"overload ⟨table⟩" state limiting option and this should work.


-- 
Marek Zarychta