Best way to decrease DDoS with pf.

Abdullah Ibn Hamad Al-Marri almarrie at gmail.com
Fri May 18 10:42:22 PDT 2007 

On 5/18/07, Drew Tomlinson <drew at mykitchentable.net> wrote:
> On 5/18/2007 9:54 AM Abdullah Ibn Hamad Al-Marri said the following:
>
> > On 5/18/07, Kian Mohageri <kian.mohageri at gmail.com> wrote:
> >
> >> On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie at gmail.com> wrote:
> >> > Thank you for the tip.
> >> >
> >> > Here what I'm using which fixed the issue.
> >> >
> >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
> >> > flags S/SA synproxy state
> >> > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
> >> >         flags S/SA keep state \
> >> >         (max-src-conn 30, max-src-conn-rate 30/3, \
> >> >          overload <bruteforce> flush global)
> >> > pass out proto tcp to any keep state
> >> >
> >> > Comments?
> >>
> >> The first rule won't match anything (same criteria as second rule, and
> >> last match wins with pf).  On the third rule, use 'flags S/SA' unless
> >> you have a good reason not to.
> >>
> >> Kian
> >>
> >
> > I thought first rule will defeat syn flood.
> >
> > Is the second rule going to do the same job as first rule and will
> > prevent syn flood?
> >
> > As for the third rule syntax, Should I make it like this?
> >
> > "pass out proto tcp to any flags S/SA keep state" and shall I add the
> > same for udp?
> >
> > "pass out proto udp to any flags S/SA keep state" ?
>
>
> AFAIK, no reason to set flags on udp traffic.  Only tcp traffic has flags.
>
> Cheers,
>
> Drew
>
> --
> Be a Great Magician!
> Visit The Alchemist's Warehouse
>
> http://www.alchemistswarehouse.com

Ok, how about it now?

ext_if="fxp0"
int_if="lo0"
tcp_services = "{ domain, www, 123, 5999, 7325, 7771, 59999 }"
udp_services = "{ domain, 123, 514 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              240.0.0.0/4 }"
icmp_types = "8"
table <bruteforce> persist
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set skip on $int_if
set optimization normal
set block-policy drop
set require-order yes
set debug loud
#set fingerprints "/etc/pf.os"
scrub in all
#scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
#scrub in on $ext_if all no-df
#scrub on $ext_if  all reassemble tcp
antispoof for $ext_if inet
antispoof for $int_if
block in log on $ext_if all
block in quick on $ext_if from any to 255.255.255.255
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block quick log from <bruteforce>
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass proto udp to any port $udp_services keep state
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out on $ext_if inet proto udp from any to any \
             port 33433 >< 33626 keep state
pass out on $ext_if inet proto udp from any to any \
             port 33433 >< 33626 keep state
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
        flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 30/3, \
         overload <bruteforce> flush global)
pass out proto tcp to any flags S/SA keep state
pass out proto udp to any keep state
# End

Is it okay now, or I shall do more tweaks?



-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

More information about the freebsd-pf mailing list