# [PF] Protecting jails from DDOS attacks



## thegolum35 (Aug 15, 2011)

Hi,

I'm actually trying to configure pf in order to protect jails from DDOS attacks. For this, I tried doing this:

/etc/pf.conf


```
net_if1= "wlan0"

table <deny-hosts> persist
table <ssh-bruteforce> persist 
table <me> { self }

# What to do on 'block' rule ?

set block-policy drop
set skip on lo0
scrub in all
scrub out all
antispoof for $net_if1 inet

block log all 

block log quick on $net_if1 from {<deny-hosts> <ssh-bruteforce>}

pass out quick inet

pass in on $net_if1 inet from ($net_if1:network) to any keep state

pass in log on $net_if1 inet proto tcp from any to <me> port 22 synproxy state (max-src-conn-rate 3/10, overload <ssh-bruteforce> flush global) rdr-to 192.168.1.50
```
 but I get a syntax error from line 23 .

Is the rdr-to syntax working on FreeBSD ?

Thanks, Gollum


----------



## SirDice (Aug 16, 2011)

If I'm not mistaken rdr-to was added in OpenBSD 4.6. FreeBSD's PF is from 4.1.


----------



## thegolum35 (Aug 16, 2011)

It what explains why the above code works on FreeBSD9. Is what follow equal to above code ?
/etc/pf.conf:
	
	



```
net_if1= "wlan0"

table <deny-hosts> persist
table <ssh-bruteforce> persist 
table <me> { self }

# What to do on 'block' rule ?

set block-policy drop
set skip on lo0
scrub in all
scrub out all
#antispoof for $net_if1 inet

rdr on $net_if1 proto tcp from any to any port 22 -> 192.168.1.50

block log all 

block log quick on $net_if1 from {<deny-hosts> <ssh-bruteforce>}

pass out quick inet

pass in on $net_if1 inet from ($net_if1:network) to any keep state

pass in log on $net_if1 inet proto tcp from any to <me> port 22 synproxy state (max-src-conn-rate 3/20, overload <ssh-bruteforce> flush global)
```


----------

