• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DoS prevention

Scheduled Pinned Locked Moved Firewalling
4 Posts 3 Posters 1.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    ssheikh
    last edited by Mar 9, 2013, 5:36 PM Mar 9, 2013, 5:34 PM

    Is it true that unless I explicitly define:

    • Maximum state entries this rule can create

    • Maximum number of unique source hosts

    • Maximum number of established connections per host

    • Maximum state entries per host

    • Maximum new connections / per second(s)

    • State Timeout in seconds

    in a firewall rule, that pfSense will not do any kind of DoS prevention on inbound NAT-ed ports (Port Forwarding)? In my lab when I flood a webserver NAT-ed behind pfSense, I see pfSense just relaying the DoS attack in its entirity to the web server.

    Thanks,

    Shahid

    1 Reply Last reply Reply Quote 0
    • S
      SysIT
      last edited by Mar 10, 2013, 5:26 AM

      For the most part, you cant stop DOS or DDoS attacks yourself, it is something your ISP needs to do because usually the attack is all about bandwidth with UDP packets.

      So unless you have a massive connection  (1Gb or more) little you can do about it.

      You can block UDP packets and also set your HTTP / HTTPs hosted sites to synstate in advance settings of your firewall rules, this will help with TCP:S (sys attack) packets.

      ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
      ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
      ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by Mar 10, 2013, 5:33 AM

        Yes that's true. One person's DoS is lower than another person's average traffic, we don't put restrictions on things because it's impossible to do so in a means that's suitable for even a majority of people much less everyone.

        1 Reply Last reply Reply Quote 0
        • S
          SysIT
          last edited by Mar 10, 2013, 5:45 AM

          thats the issue, and that is why Prolexic and Neustar are in business, let someone else worry about it, if you can afford it.

          ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
          ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
          ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received