On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
On 5/19/07, Kian Mohageri <[EMAIL PROTECTED]> wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: > > On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote: > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: > > > > On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote: > > > > > On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: > > > > > > Thank you for the tip. > > > > > > > > > > > > Here what I'm using which fixed the issue. > > > > > > > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services > > > > > > flags S/SA synproxy state > > > > > > pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ > > > > > > flags S/SA keep state \ > > > > > > (max-src-conn 30, max-src-conn-rate 30/3, \ > > > > > > overload <bruteforce> flush global) > > > > > > pass out proto tcp to any keep state > > > > > > > > > > > > Comments? > > > > > > > > > > The first rule won't match anything (same criteria as second rule, and > > > > > last match wins with pf). On the third rule, use 'flags S/SA' unless > > > > > you have a good reason not to. > > > > > > > > > > Kian > > > > > > > > > > > > > I thought first rule will defeat syn flood. > > > > > > > > Is the second rule going to do the same job as first rule and will > > > > prevent syn flood? > > > > > > The rules are different obviously, but the criteria matches the same > > > traffic. Because PF will apply the last matching rule by default > > > (unless 'quick' is used), your first rule will never be applied. You > > > could use synproxy state on the second rule, and remove the first > > > entirely. > > > > > > > As for the third rule syntax, Should I make it like this? > > > > > > > > "pass out proto tcp to any flags S/SA keep state" and shall I add the > > > > same for udp? > > > > > > > > "pass out proto udp to any flags S/SA keep state" ? > > > > > > If you only want to pass UDP and TCP, then you can do something like this: > > > > > > pass out proto tcp to any flags S/SA keep state > > > pass out proto udp to any keep state > > > > > > Kian > > > > > > > Alright, can you give me synproxy in the first line entry? I tried to > > add it, and I get error. > > No? I'm confused about what you're asking for. Paste what you tried first. >pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA synproxy state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload <bruteforce> flush global) I added synproxy after S/SA to the rule but the rules didn't load and says it's wrong. --
synproxy state implies S/SA I believe. Try without flags. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
