Using advanced options in pf rules to prevent deny of service

  • Here are some fixes do use advanced rule options to limit connections per second or max connections on your firewall without blocking your clients for two hours.

    As I found in google, if you enable connections limits on your rules (advanced button) and a client reach this limit, pfsense will block this client for an hour(or two).

    But if i want just to limit these connections, not blocking it 'for ever' what can you do?

    The answer is:
    First, install crontab package to help changes.

    then, open services -> crontab

    change line
    */60   *   *   *   *   root   /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot


    • *   *   *   *   root   /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 120 virusprot
      */2   *   *   *   *   root   /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 120 virusprot

    The "-t 120" means block ip for two minutes, of course, you can change it to fit your needs.

    After this, you can limit connections on your pfsense(eg. 10 per second  or 200 per ip or both).
    if it reaches that limit, in 02 minutes your client can connect again.

    But if you do not need to free blocked ip, you can change virusprot and sshlockout crontab  rule to check correctly if the default time '-t 3600' has reached.

    The default rule checks every hour if the blocked ip has been blocked for 60 minutes. But if the ip address is blocked for 59 minutes when cron runs, it will take another 60 minutes to unblock it.

    Consider a very huge firewall with these rules, if you wait 120 minutes to remove an ip from list you could get a very long list.
    if you check every minute or every 5 minutes, you will check a smaller list.

    With these change, you can setup a very huge dynamic rules that prevents DOS without any extra package.
    Of course Snort, modproxy, and other security tools will improve security on your firewall.

    I've tested on Pfsense 1.2.3 and 2.0

    Marcello Coutinho

Log in to reply