Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DoS prevention

    Firewalling
    3
    4
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      ssheikh
      last edited by

      Is it true that unless I explicitly define:

      • Maximum state entries this rule can create

      • Maximum number of unique source hosts

      • Maximum number of established connections per host

      • Maximum state entries per host

      • Maximum new connections / per second(s)

      • State Timeout in seconds

      in a firewall rule, that pfSense will not do any kind of DoS prevention on inbound NAT-ed ports (Port Forwarding)? In my lab when I flood a webserver NAT-ed behind pfSense, I see pfSense just relaying the DoS attack in its entirity to the web server.

      Thanks,

      Shahid

      1 Reply Last reply Reply Quote 0
      • S
        SysIT
        last edited by

        For the most part, you cant stop DOS or DDoS attacks yourself, it is something your ISP needs to do because usually the attack is all about bandwidth with UDP packets.

        So unless you have a massive connection  (1Gb or more) little you can do about it.

        You can block UDP packets and also set your HTTP / HTTPs hosted sites to synstate in advance settings of your firewall rules, this will help with TCP:S (sys attack) packets.

        ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
        ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
        ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Yes that's true. One person's DoS is lower than another person's average traffic, we don't put restrictions on things because it's impossible to do so in a means that's suitable for even a majority of people much less everyone.

          1 Reply Last reply Reply Quote 0
          • S
            SysIT
            last edited by

            thats the issue, and that is why Prolexic and Neustar are in business, let someone else worry about it, if you can afford it.

            ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
            ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
            ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.