# pf - denial of service advice..



## drbabbers (Jan 7, 2010)

All,

I am a bit of a newbie with pf on FreeBSD and I need some advice on some firewall rules/configuration changes to prevent/stop dos attacks. I have setup a fairly basic system allowing ftp, www and ssh packets inbound.

If I check my firewall state I am getting hammered with connections on port 21 from various random hosts, too many to actually add into a manual block table.. The ones I do add in my block table do actually stop, but I am getting way too many IP's listed to manually add.

Are there any helpful entries I can add into my pf.conf file to prevent such attacks?

Thanks in advance.
D


----------



## danger@ (Jan 7, 2010)

try to have a look at http://www.openbsd.org/faq/pf/filter.html#stateopts if that would help you (also do not overlook the ``overload'' keyword)


----------



## SirDice (Jan 7, 2010)

drbabbers said:
			
		

> I am a bit of a newbie with pf on FreeBSD and I need some advice on some firewall rules/configuration changes to prevent/stop dos attacks.


Yeah, stop wasting your time 



> I have setup a fairly basic system allowing ftp, www and ssh packets inbound.


Good. There isn't much else you can do really. Sure you can limit/throttle the number of connections somewhat but if an attacker manages to send 100Mbps to your 10Mbps connection you will get hosed nonetheless.



> If I check my firewall state I am getting hammered with connections on port 21 from various random hosts, too many to actually add into a manual block table.. The ones I do add in my block table do actually stop, but I am getting way too many IP's listed to manually add.


Most likely this isn't a DoS but an ftp bruteforce attack. They scan for FTP hosts and try to login using common username/password combinations. There are several tools available that'll block an IP address after an X number of failed login attempts. I use security/sshguard-pf on my server to protect my sshd. It can also be used to protect against ftp bruteforce attacks.



> Are there any helpful entries I can add into my pf.conf file to prevent such attacks?


Start by realizing that you can never _prevent_ attacks like this. That's because you have no control over the millions of zombie machines that scan your IP address. Best you can do is mitigate the risks.


----------

