Re: rate limit with pf instead of IPFW

Abdullah Al-Marrie Sat, 30 Dec 2006 10:23:44 -0800

On 12/30/06, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote:

"Abdullah Al-Marrie" <[EMAIL PROTECTED]> writes:


> I checked http://home.nuug.no/~peter/pf/en/bruteforce.html
>
> I still didn't find something in the faq covers table <bruteforce>
> persist , do I need to create a file like /etc/bruteforce or no need
> for that and will be stored in kernel until they expire or I reboot
> the box?

You can load data into a table from a file (or for that matter dump
table contents to a file) if you like.  If it's important to keep the
table contents across reboots, you probably want to do something like

$ sudo pfctl -t foo -T show >/etc/tables/foo

or perhaps at regular intervals from cron, and declare your table
something like

table <foo> persist file /etc/tables/foo

> as su I type pfctl -t foo -Tl -f /etc/pf.conf but it returns nothing.

If you want to show table contents, a

$ sudo pfctl -t foo -T show

should be sufficient.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Ok,

I think it works now, but I'm sure I missed something, since it
doesn't block the flooder.

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub in on $ext_if all no-df
scrub    on $ext_if  all reassemble tcp

# Filtering: the implicit first two rules are
pass in all
pass out all

# Pass all 'quick' on localhost loopback device
pass quick on lo0 all

## Default DENY & Log filter rules
block in log all
block out log all

# Drop our 'badguys' 'quick' with no reply or logging.
block in quick on $ext_if from <foo> to any

# Pass in rules for Various services defined above. Using 'synproxy-state' for
# basic dDoS mitigation on TCP services.
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
flags S/SA synproxy state
pass quick proto tcp from any to port 80 \
       flags S/SA keep state \
       (max-src-conn-rate 3/3, \
        overload <foo> flush global)

# Pass UDP keeping state
pass in on $ext_if proto udp from any to $ext_if port $udp_services keep state

# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# Pass FTP
pass in quick on $ext_if proto tcp from any to any port 21 flags S/SA
keep  state
pass in quick on $ext_if proto tcp from any to any port > 49151  keep state

# Pass out rule allowing all with modulate state
pass out on $ext_if proto tcp all modulate state flags S/SA

# Pass out rules for UDP, ICMP
pass out on $ext_if proto { udp, icmp } all keep state

# End

----

Here is the pfctl -s a output:

self tcp 66.90.105.115:80 <- 86.142.37.237:1086       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 211.213.208.237:3698       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 88.72.57.238:1345       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 88.72.57.238:1150       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 82.253.27.239:3079       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 85.24.126.240:1063       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 200.227.72.245:40219       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 84.61.12.247:1537       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 62.21.114.254:27475       TIME_WAIT:TIME_WAIT
self tcp 66.90.105.115:80 <- 62.21.114.254:27476       TIME_WAIT:TIME_WAIT

SOURCE TRACKING NODES:
83.26.19.2 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.57.19.6 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.100.235.6 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
125.191.104.7 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
212.51.52.8 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
213.63.67.8 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.245.169.9 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.129.142.13 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.252.21.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.226.46.14 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.19.164.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.107.53.15 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.69.215.16 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
82.197.246.17 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.214.188.19 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.118.233.20 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
212.116.219.21 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.31.175.22 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
83.209.10.24 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.20.97.26 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
200.92.206.26 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.183.16.29 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
193.189.116.29 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.248.32.32 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.217.145.32 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.110.165.33 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.228.202.36 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
89.252.13.37 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.168.152.39 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
58.141.35.42 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.64.49.42 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
82.155.36.47 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
68.116.187.47 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
83.26.240.49 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.38.29.52 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.1.54.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.241.71.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
195.96.124.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.160.206.52 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.45.251.54 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
88.118.183.55 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.228.183.56 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.77.56.57 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
195.161.7.61 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.22.187.61 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
218.172.158.64 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
83.6.223.74 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.24.124.75 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
213.246.243.78 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.175.28.79 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
200.162.227.80 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.104.6.81 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.186.130.81 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.205.75.83 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.25.232.84 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.59.45.85 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.109.76.87 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
211.124.236.87 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
195.229.242.90 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.102.187.92 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
213.145.113.93 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
217.23.253.94 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.139.217.97 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
82.83.17.100 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s )
88.72.50.102 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.114.143.102 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.108.202.103 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.193.175.104 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
89.29.13.106 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.24.122.106 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
24.144.23.109 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.178.102.109 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.55.14.110 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.128.33.112 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.138.228.113 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
70.83.87.118 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.117.2.119 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
219.248.23.125 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.103.90.126 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.193.178.127 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
201.250.230.128 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.128.204.129 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
85.186.140.132 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
166.87.255.132 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
219.241.253.133 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.181.87.134 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.185.151.135 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.106.122.137 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.55.94.139 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.68.72.143 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.142.233.144 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.25.212.147 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.182.101.149 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.106.250.150 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.179.198.151 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
82.247.63.152 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.73.75.152 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
210.64.230.153 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.166.211.155 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
24.37.213.158 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.182.183.159 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.26.225.161 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.221.70.166 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.217.158.166 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.26.241.166 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.53.206.168 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
85.168.112.172 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.154.113.173 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s )
85.61.10.174 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.234.60.176 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
80.217.177.176 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
195.3.113.178 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.56.180.178 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.147.210.179 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
62.39.229.180 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
212.183.222.181 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.77.15.182 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
82.142.157.182 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
83.61.148.184 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.190.253.184 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
82.217.97.185 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.165.218.185 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.64.8.187 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
195.20.106.191 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.107.186.195 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
83.13.15.202 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
194.78.199.202 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
86.105.44.210 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
60.237.217.211 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.65.173.222 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.61.224.224 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.152.208.225 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.45.15.226 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
89.132.25.228 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
80.224.245.229 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
88.73.137.230 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
81.131.52.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
217.151.136.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
62.178.227.233 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
86.142.37.237 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
211.213.208.237 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
88.72.57.238 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s )
82.253.27.239 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
85.24.126.240 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
84.61.40.244 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
200.227.72.245 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
201.21.132.246 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
217.23.182.246 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
84.61.12.247 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/3s )
87.19.245.252 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
81.40.16.254 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/3s )
62.21.114.254 -> 0.0.0.0 ( states 2, connections 0, rate 0.0/3s )

INFO:
Status: Enabled for 0 days 00:02:57           Debug: Urgent

Hostid: 0x4a67045a

State Table                          Total             Rate
 current entries                      112
 searches                           34551          195.2/s
 inserts                             3658           20.7/s
 removals                            3546           20.0/s
Counters
 match                              15284           86.4/s
 bad-offset                             0            0.0/s
 fragment                               0            0.0/s
 short                                  0            0.0/s
 normalize                              0            0.0/s
 memory                                 0            0.0/s
 bad-timestamp                          0            0.0/s
 congestion                             0            0.0/s
 ip-option                              0            0.0/s
 proto-cksum                            0            0.0/s
 state-mismatch                       350            2.0/s
 state-insert                           0            0.0/s
 state-limit                            0            0.0/s
 src-limit                              0            0.0/s
 synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

LIMITS:
states     hard limit  10000
src-nodes  hard limit  10000
frags      hard limit   5000

TABLES:
foo

OS FINGERPRINTS:
293 fingerprints loaded

Could you suggest what shall I do with this case?


--
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: rate limit with pf instead of IPFW

Reply via email to