LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
Reload this Page Udp bombs and pf tool, prevention of udp floods
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 11-07-2008, 03:12 PM   #1
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228
Blog Entries: 1

Rep: Reputation: 31
Udp bombs and pf tool, prevention of udp floods

Hi all,

I have followig lines at beggining of my filter part withinh PF firewall

block in on $ext_if
block in log (all) quick on $ext_if proto udp from $bad_guy to $ext_if

So, I must not say in first rule quick because it will not process other rules in chain, with second rule I just want to block all packets from some addresse(s), by protocol udp to external if.

My question is there some way within PF ( OpenBSD as platform ) to say ...for example after reciving 10000 packages all rest to drop.
The problem is, on my external interface I receive real udp bombs, and so I just want to drop all and be able still to connect.
I read and understand to create an queue rule and assign it 1% of my bandwidth but it does not help.

Any suggestion is welcome and thank you in advance
 
Old 11-10-2008, 01:04 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Consult: http://www.openbsd.org/faq/pf/filter.html#stateopts

It seems like something along these lines should work:
Code:
pass in on $ext_if proto udp from any to ($ext_if) port 53 keep state (max 200, source-track rule, max-src-states 20)
It doesn't look like you can automatically add table entries for UDP pseudo-state overloads, only TCP.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
uknown url type udp when using a udp tracker fakie_flip Linux - Software 1 08-03-2006 05:03 AM
UDP: Short Packets: and UDP bad checksum: entries in dmesg minutes2memories Linux - Networking 2 02-26-2006 07:28 PM
RFC 868 udp 37 time-udp gpl SUSE / openSUSE 2 03-31-2005 10:07 AM
My postfix box is sending UDP FLOODS! graystarr Linux - Security 1 02-22-2005 07:19 PM
How to receive UDP and ICMP packets, by one UDP socket(PMTUD) myself_rajat Linux - Networking 0 05-28-2004 05:43 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 11:12 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration