Best way to decrease DDoS with pf.
Kian Mohageri
kian.mohageri at gmail.com
Fri May 18 09:05:43 PDT 2007
On 5/18/07, Abdullah Ibn Hamad Al-Marri <almarrie at gmail.com> wrote:
> Thank you for the tip.
>
> Here what I'm using which fixed the issue.
>
> pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
> flags S/SA synproxy state
> pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
> flags S/SA keep state \
> (max-src-conn 30, max-src-conn-rate 30/3, \
> overload <bruteforce> flush global)
> pass out proto tcp to any keep state
>
> Comments?
The first rule won't match anything (same criteria as second rule, and
last match wins with pf). On the third rule, use 'flags S/SA' unless
you have a good reason not to.
Kian
More information about the freebsd-pf
mailing list