# PF rules for httpd



## atmosx (Sep 15, 2012)

Hello,

I am going to use a FreeBSD with Nginx and a ruby (unicorn) app. I cannot use jails, I have a fairly secure system, since I'm the only use who has access to it... No other users laying around.

Nginx will not feature any post form. Nginx is going server an octopress blog, which features static content and some javascript. There's no login mechanism since I do my changes locally and 'deploy' via SSH.

Are there any PF rules that would help an httpd with possible break in attempts and DOS attacks? If yes can I see some examples to start getting ideas?

thanks and best regards


----------



## SirDice (Sep 17, 2012)

atmosx said:
			
		

> Are there any PF rules that would help an httpd with possible break in attempts and DOS attacks? If yes can I see some examples to start getting ideas?


PF works on layer 3/4. Almost all web based attacks happen above layer 7, on the application. There's nothing in PF that can prevent an application based attack.

As for a DOS, you can rate limit some of the connections but with a proper DDoS your uplink will be completely saturated, no amount of filtering on your end of the pipe is going to change that.


----------



## atmosx (Sep 21, 2012)

Hello,

rate limit will work I think. I'm not sure but if httpd scripts use threads (meaning simultaneous connections) to get results asap, rate-limit is a good way to go.

Thanks for the hint


----------



## shitson (Sep 22, 2012)

Are DOS attacks are problem with your site and What is your expected number of Hits per Day?


----------



## atmosx (Sep 23, 2012)

Hello here are the rules that I currently use, there's a problem with dnsmasq though, it doesn't supply IP's to the local network, which  might make sense... Maybe I should change that to *any* instead of *$lan*.

My httpd should not exceed 100-150 hits per day. Now receives less than 50. DOS attacks I think are not a problem, because my website is not receiving hits/notoriety of any sort so... I can hardly see it as a possible target from a bot-net or something.


----------

