On 2022-09-06, Carlos López Martínez <[email protected]> wrote: > I have a very important question with massive requests to udp ports. > Until now I had the following options configured: > > (max-src-conn 30, max-src-conn-rate 10/1, overload <bruteforce> flush > global) > > I have several services published through udp, most importantly > WireGuard, but I'm not sure about activating those options. For exmaple, > using the following options for tcp: > > (max-src-conn 10, max-src-conn-rate 15/5, overload <bruteforce> flush > global) > > several IPs goes to bruteforce table ... but for udp, nothing .... and t > it seems strange to me. > > Is my config ok or do you see some gotchas?
Those options are for TCP which requires 2-way communications and is relatively hard to spoof unless you're on the network path. UDP is often trivial to spoof (there are still a fair number of end-user ISPs/colos that still don't do ingress filtering) so blocking based on potentially faked IP addresses (e.g. someone spoofing packets with source IPs that belong to google/some big cdn/root name servers/etc could cause a lot of disruption if they could trigger a block). So PF doesn't do this. It's explained a bit in pf.conf(5) as well. -- Please keep replies on the mailing list.
