> > > > From: Redd Vinylene <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> > > > Subject: pf to block against DDoS?
> > > > Date: Thursday, September 4, 2008 - 3:23 pm
> > > >
> > > > Hello hello!
> > > >
> > > > I was quite shocked today when I heard I could use pf to block
against DDoS
> > > > attacks, using Stateful Tracking Options,
> > > > http://www.openbsd.org/faq/pf/filter.html#stateopts.
> > > >
> > > > But does anybody have any nice setups of this they'd want to share?
> > > >
> > >
> > > From: Oliver Peter <[EMAIL PROTECTED]>
> > > To: Redd Vinylene <[EMAIL PROTECTED]>
> > > Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> > > Subject: Re: pf to block against DDoS?
> > > Date: Thursday, September 4, 2008 - 4:20 pm
> > >
> > > ... nice cross-post.
> > >
> > > I can recommend reading through this as well:
> > > http://www.bgnett.no/~peter/pf/en/bruteforce.html
> > >
> > > --
> > > Oliver PETER, email: [EMAIL PROTECTED], ICQ# 113969174
> > > "If it feels good, you're doing something wrong."
> > > -- Coach McTavish
> > >
> >
> > From: Peter N. M. Hansteen <[EMAIL PROTECTED]>
> > To: Oliver Peter <[EMAIL PROTECTED]>
> > Cc: Redd Vinylene <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL
> > PROTECTED]>
> > Subject: Re: pf to block against DDoS?
> > Date: Friday, September 5, 2008 - 1:54 am
> >
> > Thanks for recommending that! However I would generally recommend the
> > maintained version which is up at <http://home.nuug.no/~peter/pf/>
;,
> > with the direct link to the part about state tracking and bruteforcers
> > at <http://home.nuug.no/~peter/pf/en/bruteforce.html>.
> >
> > (and of course there's the book, nudge, nudge)
> >
> > - P
> > --
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> > "Remember to set the evil bit on all malicious network traffic"
> >
> From: Lars Noodén <[EMAIL PROTECTED]>
> To: Oliver Peter <[EMAIL PROTECTED]>
> Cc: Redd Vinylene <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> Subject: Re: pf to block against DDoS?
> Date: Thursday, September 4, 2008 - 4:50 pm
>
> You can also use two tables so that the first overload gets shunted to a
> slow queue and given a second chance before ending up in the second
> table which gets blocked.
>
> -Lars
Much obliged to all y'all gentlemen for your valuable design insight.
Now, is there anything more I can do to secure my webserver from attacks? Or
perhaps my pf.conf can be simplified / beautified?
Peter N. M. Hansteen: Did I follow your tutorial correctly?
Lars Noodén: Would you happen to have an example of that?
My pf.conf now looks like this:
-
ext_if = "rl0"
int_if = "ep0"
set block-policy return
set skip on { lo0 }
scrub in
table <bruteforce> persist
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if proto tcp from any to any port 30000 -> 192.168.187.2 port
30000
pass out keep state
pass quick on $int_if
block in
block quick from <bruteforce>
pass in on $ext_if inet proto tcp from any to any port { 20, 21, 25, 53,
113, 30000:35000 } keep state (max-src-conn 100, max-src-conn-rate 15/5,
overload <bruteforce> flush global)
pass in on $ext_if inet proto tcp from any to any port 22 keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
pass in on $ext_if inet proto udp from any to any port 53 keep state
pass in on $ext_if inet proto icmp from any to any keep state
-
Have a great week! Cheers!
--
http://www.home.no/reddvinylene
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
