On 6/28/07, LI Xin <[EMAIL PROTECTED]> wrote:
Abdullah Ibn Hamad Al-Marri wrote:
> Hello,
>
> I would like to block ICMP and UDP flooders who exceed a reasonable number.
>
> #- Rate Limit UDP (150 per host)
> pass proto udp to any port $udp_services keep state
> pass in quick proto udp from any to any \
> keep state \
> (max-src-conn 1,max-src-states 151, \
> overload <DDoS> flush global)
>
> #- Rate Limit ICMP (10 per host)
> pass in quick proto icmp from any to any \
> keep state \
> (max-src-conn 1,max-src-states 11, \
> overload <DDoS> flush global)
I think ICMP and UDP can have their originating address forged, so this
will effectively construct a true remote triggerable DoS...
Cheers,
--
Xin LI <[EMAIL PROTECTED]> http://www.delphij.net/
FreeBSD - The Power to Serve!
Thank you Li,
I set antispoof in my pf.conf for the nic, would these rule help or
not? do you have suggestions about the values? I run bind on the
servers.
--
Regards,
-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
