On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote:
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
> Thank you for the tip.
>
> Here what I'm using which fixed the issue.
>
> pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
> flags S/SA synproxy state
> pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
>         flags S/SA keep state \
>         (max-src-conn 30, max-src-conn-rate 30/3, \
>          overload <bruteforce> flush global)
> pass out proto tcp to any keep state
>
> Comments?

The first rule won't match anything (same criteria as second rule, and
last match wins with pf).  On the third rule, use 'flags S/SA' unless
you have a good reason not to.

Kian


I thought first rule will defeat syn flood.

Is the second rule going to do the same job as first rule and will
prevent syn flood?

As for the third rule syntax, Should I make it like this?

"pass out proto tcp to any flags S/SA keep state" and shall I add the
same for udp?

"pass out proto udp to any flags S/SA keep state" ?

--
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to