First, set up the table by adding the following line to your tables section: table ‹bruteforce› persistThen, somewhere fairly early in your rule set, set up the rule to block traffic from the brute forcers, as shown here:block quick from ‹bruteforce› And finally, add your pass rule like this: pass inet proto tcp from any to $localnet port $tcp_services \ keep state (max-src-conn 100, max-src-conn-rate 15/5, \ overload ‹bruteforce› flush global)This is rather similar to what we’ve seen before, isn’t it? In fact, the first part is identical to the rule we constructed earlier. What you should pay close attention to is the part in parentheses, called state-tracking options. These will ease your network load even further. max-src-conn is the number of simultaneous connections you allow from one host. In this example, I’ve set it to 100. However, in your setup you may want a slightly higher or lower value, depending on the traffic patterns on your network.max-src-conn-rate is the rate of new connections allowed from any single host, here 15 connections per 5 seconds. Again, you are the one to judge what suits your setup. overloadmeans that any host that exceeds these limits has its address added to the table . Our rule set blocks all traffic from addresses in the ‹bruteforce› table.
terça-feira, 28 de junho de 2011
Se livrando dos ignorantes - DoS/DDoS
( texto original de: The Book of PF )
Assinar:
Postar comentários (Atom)
0 comentários:
Postar um comentário