[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Seeking recommendations for pf firewall relays

Hi

> To reduce the impact of possible future DoS attacks, I want to make
> use of max-src-conn and max-src-conn-rate to limit a single IP
> address from creating unlimited TCP states, as well as limit how fast
> new TCP sessions can be created.


:: pf.conf ::

IFEXT = "igb0"
MAXSRCCONN = "50" # 50 connections per source IP
MAXSRCCONNRATE = "5/5" # 5 new syns per 5 secs
IP4 = "a.b.c.d"
IP6 = "aaaa:bbbb:cccc:dddd::eeee"
ORPORT = "9001"

table <blockORPORT> persist

pass in on $IFEXT inet proto tcp from any to $IP4 port $ORPORT \
  flags S/SA modulate state (max-src-conn $MAXSRCCONN, \
  max-src-conn-rate $MAXSRCCONNRATE,overload <blockORPORT>)

pass in on $IFEXT inet6 proto tcp from any to $IP6 port $ORPORT \
  flags S/SA modulate state (max-src-conn $MAXSRCCONN, \
  max-src-conn-rate $MAXSRCCONNRATE,overload <blockORPORT>)



:: cronjob to release blocked IPs ::

(5 minutes cronjob, holds blocked IPs for roughly 4000 secs)

pfctl -t blockORPORT -T expire 4000



You can go for `keep state´ instead of `modulate state´.

Cheers

Attachment: pgp1lPFehNsod.pgp
Description: Digitale Signatur von OpenPGP

_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx