|
||||
PF and Stateful Tracking Options
I want use PF for firewall for webserver , our webserver is Apache
I read this link http://www.openbsd.org/faq/pf/filter.html but I can not understand this section Code:
An example: table <abusive_hosts> persist block in quick from <abusive_hosts> pass in on $ext_if proto tcp to $web_server \ port www flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush) This does the following: * Limits the maximum number of connections per source to 100 * Rate limits the number of connections to 15 in a 5 second span * Puts the IP address of any host that breaks these limits into the <abusive_hosts> table * For any offending IP addresses, flush any states created by this rule. For example if some user with this IP 192.168.0.52 connect to my web server , he or she can only open 15 pages in 5 second ,if he or she open new pages , pf block him. and I understand this user with 192.168.0.53 can not open than 15 pages or can not connect more than 15 connection in 5 second . Am I right ? Do I understand good this?, with this rule I each IP can have 15 connection in 5 second . please someone explain this section better for me |
|
|||
this is more useful to restrict ssh access...
For a webserver, it is quite annoying. |
|
||||
One -can- restrict the total number of simultaneous states allowed, to keep access manageable in the event a website gets "slashdotted" -- overwhelmed because of sudden increased transaction rates.
In the example mfaridi quoted, max-src-conn 100 limits the number of simultaneous transactions to 100. Users beyond that number do not get a connection, which -might- or -might not- be a problem, depending on the application. But it does allow the 100 sessions that are connected to function without overwhelming resources. That "100" is of course not meaningful without understanding the webserver's capacity, and the capacity of adjunct application and database servers that might be involved. |
|
||||
Quote:
In the pf.conf for this forums I have: Quote:
I solved the problem by making a table with known bot addresses (Taken from iplists.com) which are exempted from this rule. Why use max-src-conn and max-src-conn-rate? It prevent (D)DoS attacks.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
||||
Can we find another solution to control access web server , we use this rule but in some place like school with ADSL internet sharing , our PF block them , for example we have 200 computer in one school and all of them one ADSL internet connection .
|
|
||||
Quote:
Am I right ? if I understand good , I have abuse table too , in abuse rule I define PF block max connection , I think this rule will block BOT IP too. So I say PF dose not use abuse rule for BOT IP and use abuse rule for other function ? |
|
||||
Yes, you understand it correctly. This only matters if you actually care about your site showing up in google.
Here are a few examples from my pf.conf Code:
table <badguys> persist table <goodbots> persist file "/root/goodbots" pass in on $if proto tcp from any to $ip2 port http keep state \ (source-track max-src-conn 50 max-src-conn-rate 200/10 overload <badguys>) pass in quick on $if proto tcp from <goodbots> to {$ip1, $ip2} port http block drop in on $if from <badguys> Code:
# Don't ban people for more than n seconds * * * * * root /sbin/pfctl -t badguys -T expire 5 > /dev/null 2>&1 I make the file /root/goodbots with a simple shell script. Adjust the lists to your needs: Code:
#!/bin/sh # lists=" http://iplists.com/google.txt http://iplists.com/inktomi.txt http://iplists.com/lycos.txt http://iplists.com/infoseek.txt http://iplists.com/altavista.txt http://iplists.com/excite.txt http://iplists.com/northernlight.txt http://iplists.com/misc.txt http://iplists.com/non_engines.txt " echo -n "" > goodbots for list in ${lists}; do fetch -o /tmp/list ${list} grep -Ev '?(^#|^$)' /tmp/list >> /root/goodbots done rm /tmp/list
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
resetting make options? | carpman | FreeBSD Ports and Packages | 1 | 27th March 2010 12:54 PM |
Tracking OpenBSD snapshots with some simple sh scripts | J65nko | Guides | 3 | 2nd December 2009 04:55 AM |
How to get port's building options? | Sunsawe | FreeBSD Ports and Packages | 14 | 9th May 2009 06:35 PM |
portupgrade -af, how to submit fetch options? | bsdfan | FreeBSD Ports and Packages | 4 | 28th December 2008 09:05 PM |
Change Makefile options in ports | shep | FreeBSD Ports and Packages | 5 | 18th August 2008 07:58 AM |