Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using advanced options in pf rules to prevent deny of service

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      Here are some fixes do use advanced rule options to limit connections per second or max connections on your firewall without blocking your clients for two hours.

      As I found in google, if you enable connections limits on your rules (advanced button) and a client reach this limit, pfsense will block this client for an hour(or two).

      But if i want just to limit these connections, not blocking it 'for ever' what can you do?

      The answer is:
      First, install crontab package to help changes.

      then, open services -> crontab

      change line
      */60   *   *   *   *   root   /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot

      to

      • *   *   *   *   root   /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 120 virusprot
        or
        */2   *   *   *   *   root   /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 120 virusprot

      The "-t 120" means block ip for two minutes, of course, you can change it to fit your needs.

      After this, you can limit connections on your pfsense(eg. 10 per second  or 200 per ip or both).
      if it reaches that limit, in 02 minutes your client can connect again.

      But if you do not need to free blocked ip, you can change virusprot and sshlockout crontab  rule to check correctly if the default time '-t 3600' has reached.

      The default rule checks every hour if the blocked ip has been blocked for 60 minutes. But if the ip address is blocked for 59 minutes when cron runs, it will take another 60 minutes to unblock it.

      Consider a very huge firewall with these rules, if you wait 120 minutes to remove an ip from list you could get a very long list.
      if you check every minute or every 5 minutes, you will check a smaller list.

      With these change, you can setup a very huge dynamic rules that prevents DOS without any extra package.
      Of course Snort, modproxy, and other security tools will improve security on your firewall.

      I've tested on Pfsense 1.2.3 and 2.0

      att,
      Marcello Coutinho

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.