Just sharing... After having made three attempts at firewalling my ntp server, FreeBSD 9.0, with pre-made scripts, the following does limit data flow according to my tests. This can be added to ipfw.conf, if you use it without the "ipfw" and delete lines. Insert your local and trusted networks. Some lines may be superfluous.
<start> ipfw pipe 1 delete ipfw pipe 2 delete ipfw pipe 3 delete ipfw delete 1 ipfw delete 2 ipfw delete 3 ipfw delete 4 ipfw delete 5 ipfw delete 6 ipfw queue 1 delete ipfw queue 2 delete # 1Gb ipfw pipe 1 config bw 1000000kbits/s # 256Kb ipfw pipe 2 config bw 256kbits/s mask dst-ip 0xffffffff # 20Kb ipfw pipe 3 config bw 20kbits/s ipfw queue 1 config pipe 1 weight 99 # Queue 2:3 80:15 ipfw queue 2 config pipe 2 weight 80 ipfw queue 2 config pipe 2 mask dst-ip 0xffffffff ipfw queue 3 config pipe 2 weight 15 # Trusted IP Address ipfw add 1 queue 1 ip from me to <IPv4>/<Mask> via em0 ipfw add 1 queue 1 icmp from me to <IPv4> via em0 ipfw add 1 queue 1 tcp from me to <IPv6>/<Mask> via em0 # Outbound from me / ntp server / this is the basic rule ipfw add 3 queue 2 udp from any 123 to any out via em0 # All NTP queries may be rate limited ipfw add 3 queue 2 udp from any to me 123 out via em0 ipfw add 3 queue 2 udp from me to any 123 out via em0 ipfw add 3 queue 2 udp from any to me 123 in via em0 # Failsafe for other traffic ipfw add 4 queue 3 udp from me to any out via em0 ipfw add 5 queue 3 udp from me to any out xmit em0 # Rate limit myself outbound, as a last resolve. ipfw add 6 queue 3 tcp from me to any out xmit em0 <end> Remember a succesful DDoS usage will mean your ntp server is *sending out* lots of data from port 123. The above will perhaps tune other required valid traffic to a near standstill... Sincerely, Björn Róbertsson _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
