DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th July 2009
chazz chazz is offline
New User
 
Join Date: Jul 2009
Posts: 2
Thanked 0 Times in 0 Posts
Default PF Rules for DoS

Below is a packet filter snippet from my config file:

Code:
block drop log quick from <brute>
...
pass in  quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush global)
pass out quick on $int_if proto tcp from any to <webs> port 80 flags S/SA keep state

pass out quick on $ext_if proto tcp from <webs> port 80   to any flags SA/SA keep state
pass in  quick on $int_if proto tcp from <webs> port 80   to any flags SA/SA keep state

Question 1:
Should the bruteforce rules be on each line, or just that first one?

Question 2:
If they should be on each line, should I multiply the values (80, 200/2) by 4 ?

Question 3:
Are the rates I'm using reasonable? blocking should be on the loose side


I'm open to any thoughts, opinions or screams on best practices
Reply With Quote
  #2   (View Single Post)  
Old 14th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default

Since your rules are "quick", only the first matching rule applies. And, because they are "keep state", an existing state table entry eliminates rule matching entirely.

With that in mind, your second pass rule will only match in the unique case when the session originates on your router, to the web server. It will never match for any other connection. (If there is a state in progress, no rules are tested, and if not, then external traffic will match the first pass rule, and traffic within $int_if will travel directly on the subnet.)

If your router is also functioning as a proxy web server, then the second rule will match, as the proxy server will initiate separate traffic to the web server. But if that were the case, traffic to port 80 would be destined for the router, not for the webserver.

Your third and fourth pass rules will not likely apply in any situation, as states for TCP sessions were established by the first rule.

You'll need to determine what limits to put on state tables; I use state table management for sshd and ftpd; and there, I use only max-src-conn-rate.
Reply With Quote
  #3   (View Single Post)  
Old 14th July 2009
chazz chazz is offline
New User
 
Join Date: Jul 2009
Posts: 2
Thanked 0 Times in 0 Posts
Default

thank you for the reply, I'm slightly new to this.

the router/gateway you see is redirecting our web traffic, but not used as a proxy.

The third and fourth rules would be needed if the webserver does a CURL/wget however, correct?

I also have max-src-conn-rate on FTP, what would be a proper limit do you think, i have 32/4 for mine
Reply With Quote
  #4   (View Single Post)  
Old 14th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by chazz View Post
...The third and fourth rules would be needed if the webserver does a CURL/wget however, correct?
Not by my understanding; I believe cURL or wget still act like standard web clients, so the server should see normal http/https requests, with nothing originated by the web server. The only reason pass rules 3/4 would be involved would be if the webserver initiated contact to a remote address, and used outgoing port #80. I can't see either happening with normal web applications.
Quote:
I also have max-src-conn-rate on FTP, what would be a proper limit do you think, i have 32/4 for mine
"Proper" depends on what's proper for your various servers. I use 3/30 for my ftpd server, which is in the opposite direction of what you've configured, which is allowing 32 connections every 4 seconds. Remember, the syntax is <number> / <seconds>.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with pf rules TerranAce007 OpenBSD General 4 16th January 2009 10:14 PM
PF wont open port despite rules... Dain_L OpenBSD Security 3 12th September 2008 01:14 AM
ipfw rules not behaving Weaseal FreeBSD Security 5 13th August 2008 01:22 PM
PF/ALTQ rules not working as intended Weaseal FreeBSD Security 4 6th August 2008 12:41 PM
flush natd rules nenduvel FreeBSD Security 1 3rd May 2008 08:59 PM


All times are GMT. The time now is 08:33 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick