PF Rules for DoS

[chazz]

Below is a packet filter snippet from my config file:

Code:

block drop log quick from <brute>
...
pass in  quick on $ext_if proto tcp from any to <webs> port 80 flags S/SA keep state (max-src-conn 80, max-src-conn-rate 200/2, overload <brute> flush global)
pass out quick on $int_if proto tcp from any to <webs> port 80 flags S/SA keep state

pass out quick on $ext_if proto tcp from <webs> port 80   to any flags SA/SA keep state
pass in  quick on $int_if proto tcp from <webs> port 80   to any flags SA/SA keep state

Question 1:
Should the bruteforce rules be on each line, or just that first one?

Question 2:
If they should be on each line, should I multiply the values (80, 200/2) by 4 ?

Question 3:
Are the rates I'm using reasonable? blocking should be on the loose side


I'm open to any thoughts, opinions or screams on best practices

[jggimi]

Since your rules are "quick", only the first matching rule applies. And, because they are "keep state", an existing state table entry eliminates rule matching entirely.

With that in mind, your second pass rule will only match in the unique case when the session originates on your router, to the web server. It will never match for any other connection. (If there is a state in progress, no rules are tested, and if not, then external traffic will match the first pass rule, and traffic within $int_if will travel directly on the subnet.)

If your router is also functioning as a proxy web server, then the second rule will match, as the proxy server will initiate separate traffic to the web server. But if that were the case, traffic to port 80 would be destined for the router, not for the webserver.

Your third and fourth pass rules will not likely apply in any situation, as states for TCP sessions were established by the first rule.

You'll need to determine what limits to put on state tables; I use state table management for sshd and ftpd; and there, I use only max-src-conn-rate.

[chazz]

thank you for the reply, I'm slightly new to this.

the router/gateway you see is redirecting our web traffic, but not used as a proxy.

The third and fourth rules would be needed if the webserver does a CURL/wget however, correct?

I also have max-src-conn-rate on FTP, what would be a proper limit do you think, i have 32/4 for mine

[jggimi]

Quote:

Originally Posted by chazz

...The third and fourth rules would be needed if the webserver does a CURL/wget however, correct?

Not by my understanding; I believe cURL or wget still act like standard web clients, so the server should see normal http/https requests, with nothing originated by the web server. The only reason pass rules 3/4 would be involved would be if the webserver initiated contact to a remote address, and used outgoing port #80. I can't see either happening with normal web applications.

Quote:

I also have max-src-conn-rate on FTP, what would be a proper limit do you think, i have 32/4 for mine

"Proper" depends on what's proper for your various servers. I use 3/30 for my ftpd server, which is in the opposite direction of what you've configured, which is allowing 32 connections every 4 seconds. Remember, the syntax is <number> / <seconds>.