On 06/09/2022 19:07, Stuart Henderson wrote:
On 2022-09-06, Carlos López Martínez <[email protected]> wrote:
I have a very important question with massive requests to udp ports.
Until now I had the following options configured:
(max-src-conn 30, max-src-conn-rate 10/1, overload <bruteforce> flush
global)
I have several services published through udp, most importantly
WireGuard, but I'm not sure about activating those options. For exmaple,
using the following options for tcp:
(max-src-conn 10, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
several IPs goes to bruteforce table ... but for udp, nothing .... and t
it seems strange to me.
Is my config ok or do you see some gotchas?
Those options are for TCP which requires 2-way communications and
is relatively hard to spoof unless you're on the network path.
UDP is often trivial to spoof (there are still a fair number of
end-user ISPs/colos that still don't do ingress filtering) so
blocking based on potentially faked IP addresses (e.g. someone
spoofing packets with source IPs that belong to google/some big
cdn/root name servers/etc could cause a lot of disruption if
they could trigger a block). So PF doesn't do this.
It's explained a bit in pf.conf(5) as well.
Understood ... Many thanks Stuart for your explanation.
--
Best regards,
C. L. Martinez
