Henning Brauer
Wed, 25 Nov 2009 00:06:46 -0800
* Jordi Espasa Clofent <jordi.esp...@opengea.org> [2009-11-24 17:32]: > >># SSH brutes protection > >>pass quick on $bridge inet proto tcp from any to $vlan10 port 22 > >>keep state \ > >> (max-src-conn 20, max-src-conn-rate 3/12, \ > >> overload <ssh_brutes> flush global) > >> > >>with success. No problem, all works fine. > >> > >>I wonder if I can apply this type of rule to UDP connections (I try > >>to protect some busy DNS servers) > > > >no, there's no way to avoid spoofed requests with UDP. if someone > >sends a bunch of UDP packets spoofed from $BIG_ISP_RESOLVER's IP > >address, their legitimate requests will be blocked. > > I don't understand your response, Stuart. > I wonder if the mentioned rule (using max-src-conn and max-src-rate) > is also applicable to UDP-oriented connections as DNS is.
> >no, ^^^^^^ quite clear isn't it? the tcp one works based on completed 3way handshakes. now think about it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting