Best way to decrease DDoS with pf.

Kian Mohageri kian.mohageri at gmail.com
Sat May 19 01:12:21 PDT 2007


On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie at gmail.com> wrote:
> On 5/19/07, Kian Mohageri <kian.mohageri at gmail.com> wrote:
> > On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie at gmail.com> wrote:
> > > On 5/18/07, Kian Mohageri <kian.mohageri at gmail.com> wrote:
> > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie at gmail.com> wrote:
> > > > > On 5/18/07, Kian Mohageri <kian.mohageri at gmail.com> wrote:
> > > > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie at gmail.com> wrote:
> > > > > > > Thank you for the tip.
> > > > > > >
> > > > > > > Here what I'm using which fixed the issue.
> > > > > > >
> > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
> > > > > > > flags S/SA synproxy state
> > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
> > > > > > >         flags S/SA keep state \
> > > > > > >         (max-src-conn 30, max-src-conn-rate 30/3, \
> > > > > > >          overload <bruteforce> flush global)
> > > > > > > pass out proto tcp to any keep state
> > > > > > >
> > > > > > > Comments?
> > > > > >
> > > > > > The first rule won't match anything (same criteria as second rule, and
> > > > > > last match wins with pf).  On the third rule, use 'flags S/SA' unless
> > > > > > you have a good reason not to.
> > > > > >
> > > > > > Kian
> > > > > >
> > > > >
> > > > > I thought first rule will defeat syn flood.
> > > > >
> > > > >  Is the second rule going to do the same job as first rule and will
> > > > > prevent syn flood?
> > > >
> > > > The rules are different obviously, but the criteria matches the same
> > > > traffic.  Because PF will apply the last matching rule by default
> > > > (unless 'quick' is used), your first rule will never be applied.  You
> > > > could use synproxy state on the second rule, and remove the first
> > > > entirely.
> > > >
> > > > > As for the third rule syntax, Should I make it like this?
> > > > >
> > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the
> > > > > same for udp?
> > > > >
> > > > > "pass out proto udp to any flags S/SA keep state" ?
> > > >
> > > > If you only want to pass UDP and TCP, then you can do something like this:
> > > >
> > > > pass out proto tcp to any flags S/SA keep state
> > > > pass out proto udp to any keep state
> > > >
> > > > Kian
> > > >
> > >
> > > Alright, can you give me synproxy in the first line entry? I tried to
> > > add it, and I get error.
> >
> > No?  I'm confused about what you're asking for.  Paste what you tried first.
> >
>
> pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
>          flags S/SA synproxy state \
>          (max-src-conn 30, max-src-conn-rate 30/3, \
>           overload <bruteforce> flush global)
>
> I added synproxy after S/SA to the rule but the rules didn't load and
> says it's wrong.
> --

synproxy state implies S/SA I believe.  Try without flags.


More information about the freebsd-pf mailing list