rate limit with pf instead of IPFW

Max Laier max at love2party.net
Fri Dec 29 05:51:38 PST 2006 

On Friday 29 December 2006 12:05, Abdullah Al-Marrie wrote:
> On 11/23/06, Max Laier <max at love2party.net> wrote:
> > > On 11/23/06, Jon Simola <jsimola at gmail.com> wrote:
> > > > > Greetings BPF gurus!
> > > >
> > > > PF? bpf is different and has little to do with firewalling.
> > > >
> > > > > Could someone please give me full example to setup
> > > > > limit {src-addr | src-port | dst-addr | dst-port} to do what
> > > > > IPFW 01000 allow tcp from any to me setup limit src-addr 5
> > > > > currently does
> > > >
> > > > I use something like this:
> > > >
> > > > pass in on $ext_if proto tcp from any to $ext_if port smtp flags
> > > > S/SA keep state (source-track rule, mac-src-states 5)
> > > >
> > > > --
> > >
> > > Greetings Jon,
> > >
> > > Could you please post your pf.conf with the rules so I can use it
> > > as a guide?
> >
> > If you are looking for a guide - I suggest reading the pf-faq on the
> > OpenBSD site or Peter's great tutorial, available from:
> > http://home.nuug.no/~peter/pf/  The topic in question, is discussed
> > here: http://home.nuug.no/~peter/pf/en/bruteforce.html
> >
> > --
> > /"\  Best regards,                      | mlaier at freebsd.org
> > \ /  Max Laier                          | ICQ #67774661
> >  X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
> > / \  ASCII Ribbon Campaign              | Against HTML Mail and News
>
> Thank you Max, and Jon for your kind prompts to help me to sort this
> problem.
>
> PF is very powerful, again thanks for porting it to FreeBSD. :)
>
> I checked http://home.nuug.no/~peter/pf/en/bruteforce.html
>
> I still didn't find something in the faq covers table <bruteforce>
> persist , do I need to create a file like /etc/bruteforce or no need
> for that and will be stored in kernel until they expire or I reboot the
> box?

You can *load* a table from a file pf.conf(5) has the syntax to do so.  
Afterwards the table exists in kernel memory and all updates only happen 
there (and are not written back to the file).  There are tools that help 
with that, however.

> Here is my pf.conf
...
> # Tables: similar to macros, but more flexible for many addresses.
> table <foo> persist
...
> # End
>
> Am I missing something?

You probably want a "block ... from <foo>" rule somewhere in order for the 
thing to take effect.

> as su I type pfctl -t foo -Tl -f /etc/pf.conf but it returns nothing.
>
> I want to see the current IPs being blocked since I used overload <foo>

Read the pfctl(8) manpage.  You are reloading the table from the pf.conf 
file - which causes it to be empty.  In order to show the contents, you 
need something like:

pfctl -t foo -Tshow  # a couple of "-v" gives nice statistics as well

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20061229/c7708fce/attachment.pgp

More information about the freebsd-pf mailing list