# PF "Anti-ddos" config?



## maximilian (Feb 12, 2012)

Hello,

*C*an you look into my PF configuration and look where *I* can tune it or where *I* have errors? (sorry for my bad *E*nglish  )


```
### macro name for external interface.
ext_if = "re0"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble

### set a default deny everything policy.
#block all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  - Finish; end of session
### * S : SYN  - Synchronize; indicates request to start session
### * R : RST  - Reset; drop a connection
### * P : PUSH - Push; packet is sent immediately
### * A : ACK  - Acknowledgement
### * U : URG  - Urgent
### * E : ECE  - Explicit Congestion Notification Echo
### * W : CWR  - Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.

### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state

### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

### setup a table and ruleset that prevents excessive abuse by hosts
### that attempt to brute force the ssh daemon with repeated requests.
### any host that hammers more than 3 connections in 5 seconds gets
### all their packet states killed and dropped into a blackhole table.
#table <ssh_abuse> persist
#block in quick from <ssh_abuse>
#pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10,
#max-src-conn-rate 3/5, overload <ssh_abuse> flush)

table <ddos> persist
block in quick from <ddos>
pass in proto tcp from any to self port 80 keep state \
(max-src-conn 5, max-src-conn-rate 5/5, overload <ddos> flush)
```

*I* hope you can help me.

*G*reetings.


----------

