[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Source Tracking in PF



Cheers Ryan!
This is a big step towards DDoS proofing OpenBSD! 
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:[email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Ryan McBride
Sent: Monday, December 15, 2003 12:24 AM
To: [email protected]
Subject: Source Tracking in PF
I just committed code which adds support to track stateful connections by
source IP address. This allows a user to:
- Ensure that clients get a consistent IP mapping with load-balanced
  translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule
As always, the more people who test this and provide feedback, the happier I
am. Read below for details.
-Ryan
SYNTAX:
The 'sticky-address' keyword applies to translation rules; the translation
address will be selected from the list, but once a client makes a
connection, all subsequent connections are translated the same way.
nat on $ext_if from $int_net to any -> \
        { 10.1.2.1, 10.1.2.3 } round-robin sticky-address
Similarly in the following case, connections to a server are mapped
randomly, but all connections from a client are mapped the same way.
rdr on $ext_if from any to $ext_if -> \
        { 192.168.0.4/30 } random sticky-address
In the case of tracking states per rule, the syntax is slightly different.
The 'source-track' state option is used to enable tracking, limits can also
be set there: 'max-src-states' limits how many states from a single source
can exist simultaneously and 'max-src-nodes'
limits how many source nodes can exist (effectively this is a limit on how
many clients can connect at once).
The following rule allows a maximum of 1000 source ip's to connect to a
webserver, each with a maximum of 3 simultaneous states:
pass in on $ext_if proto tcp to $webserver port www flags S/SA \
        keep state (source-track, max-src-states 3, max-src-nodes 10)
By default, the source node is removed when all the states which reference
it are removed. However the timeout 'src.track' regulates how long the
source node is retained after all it's states have died.
set timeout src.track 900
A list of src nodes can be retrived with pfctl -sS, pfctl -vsS; pfctl -vsi
provides statistics on src-node useage (similar to the statistics provided
for states)