On 2023-07-18, mabi <m...@protonmail.ch> wrote: > Hello, > > From the following documentation, I am trying to figure out which PF tracking > options are also valid for UDP but unfortunately it is not quite clear to me: > > https://man.openbsd.org/pf.conf.5#Stateful_Tracking_Options > > My goal would be to do add rate limiting options to a PF UDP pass rule in > order to limit DDoS/DoS attacks on port 53. > > Interesting would be especially the "max-src-states" option. Is this option > also valid for UDP? > > Is it also possible to use the "overload" option with UDP in order to add > source IPs into a table of attackers which I will then block?
PF's state-tracking options are only for TCP. (Blocking an IP based on number of connections from easily spoofed UDP is a good way to let third parties prevent your machine from communicating with IPs that may well get in the way i.e. trigger a "self DoS"). You may be interested in looking into L7 methods of mitigating problems from high rates of DNS queries - for example dnsdist allows a lot of flexibility in this area.
