question about max-src-conn and max-src-conn-rate

Tony B ghostsniper007 at hotmail.com
Thu Jul 16 02:37:41 UTC 2009


thank you for the reply, 


This is the network layout I have:


INTERNET-----($ext_if)[firewall/gateway]($int_if)-------[webservers on lan]

Does that change must as per the suggestions ?

I would need the pass out rules if the webservers executed a CURL or wget, correct ?


Can someone suggest a max-src-conn-rate that would identify an attack?  all the online examples are far too strict.









From: Valentin Bud 
Sent: Wednesday, July 15, 2009 9:18 AM
To: Tony 
Cc: freebsd-pf at freebsd.org 
Subject: Re: question about max-src-conn and max-src-conn-rate





On Tue, Jul 14, 2009 at 6:12 PM, Tony <ghostsniper007 at hotmail.com> wrote:


  Below is a packet filter snippet from my config file:



  block drop log quick from <brute>
  ...
  pass in  quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush global)
  pass out quick on $int_if proto tcp from any to <webs> port 80 flags S/SA keep state

  pass out quick on $ext_if proto tcp from <webs> port 80   to any flags SA/SA keep state
  pass in  quick on $int_if proto tcp from <webs> port 80   to any flags SA/SA keep state




  Question 1:
  Should the bruteforce rules be on each line, or just that first one?



  Question 2:
  If they should be on each line, should I multiply the values (80, 200/2) by 4 ?



  Question 3:
  Are the rates I'm using reasonable? blocking should be on the loose side




  I'm open to any thoughts, opinions or screams on best practices

  _________________________________________________________________
  Attention all humans. We are your photos. Free us.
  http://go.microsoft.com/?linkid=9666046_______________________________________________
  freebsd-pf at freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-pf
  To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"


Hello Tony,

 First i will "draw" a diagram of your network to see if i get it right.

INTERNET-----($ext_if)[WEB_SRV]($int_if)-------LAN

>From your post what i think you want to accomplish is: to restrict connections to WEB_SRV to 
200 conns in 2 seconds and a maximum of 80 connections from one source IP. If any one of
those conditions are met overload the table <brute> with that IP and flush all the states that
IP created.

Now the questions is: do you want the above conditions to apply to traffic from both INTERNET and
LAN or only to traffic coming from INTERNET/LAN.

If the conditions should apply only for traffic coming from internet the following
does that:

block drop log quick from <brute>

pass in quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush global)

pass in quick on $int_if proto tcp from <webs> port 80  to any flags S/SA keep state

No need for "pass out" rules because of the keep state keyword which tells the firewall
to allow outgoing traffic to IPs that already established a connection with WEB_SRV on port
80.

So the answer to "Question 1" is: depends and no
You don't need the "pass out" rules so no need to repeat the brute force rule :).
Now it depends, if you want the same policy to apply to traffic coming in from LAN you
must add the brute force rule (i guess you meant the "max-src-conn ..." part) to the rule
that applies to traffic coming in $int_if.

Question 2
You don't have to multiply the values by nothing if you want to limit the connections 
coming from one source IP to 80 and no more than 200 conns in 2 seconds for 
traffic coming in from both directions. You can change them as you need. Suppose you
want to limit the maximum connections from one LAN IP to 120 and no more than
50/2 you would change the rule applied to $int_if.

Question 3
Now this depends on the amount of incoming connections coming in from one source IP.
For example if a visitor tries to open 81 connections at the same time and you wish
to let that happen you must increase the max-src-conn to something above 81.
The same applies to max-src-conn-rate. 

I suggest you (re)read the pf faq from openbsd website (http://openbsd.org/faq/pf/filter.html)
and there is a great book of pf - The Book of PF, Peter N.M. Hansteen which i kindly suggest
you should read so you get a better understanding of pf overall.

a great day,
v
-- 
network warrior since 2005


More information about the freebsd-pf mailing list