On 25/08/2022 12:20, Michael Gmelin wrote:
On Thu, 25 Aug 2022 10:48:45 +0200 Carlos López Martínez <clo...@outlook.com> wrote:Hi all, I am tryping to rate limit public connections for certain services to avoid brutforce attacks under a FreeBSD 13.1 firewall. Under OpenBSD is "pretty simple" with a rule like: table <bruteforce> persist block quick from <bruteforce> pass inet proto tcp from !<internal_networks> to (egress:0) port $tcp_services \ flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, \ overload <bruteforce> flush global) rdr-to $internal_server But under Freebsd when I try to combine "pass" with "rdr" rules, it doesn't works. For example: rdr on egress inet proto tcp from !<internal_networks> to egress port $tcp_services -> $internal_server pass in on egress inet proto tcp from !<internal_networks> to (egress:0) port $tcp_services flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) Any idea about what am I doing wrong?Your pass rule won't match the rdr rule, as it is matched *after* rdr was applied. So at this point the target address is not egress:0, anymore, but $internal_server. If your traffic passes anyway, it's probably matched by some other more general rule. You could simplify your config by using tags, which could look like this: rdr on egress inet proto tcp from !<internal_networks> to \ egress port $tcp_services tag pass_rate_limit -> $internal_server pass in quick flags S/SA keep state (max-src-conn 100, \ max-src-conn-rate 15/5, overload <bruteforce> flush global) \ tagged pass_rate_limit Using the "pass quick" rule early in your pf.conf will make sure it is applied instead of other matching rules. Cheers Michael
It is working now using "rdr on egress... tag..." and "pass in quick .... tagged ...."
Many thanks Michael and kaycee -- Best regards, C. L. Martinez
