Set pf.conf with pfsense

st4rtx

hi all
how can i set config pfsense same as pf.conf
i want detect and protect dos attack with pfsense please help me what change in it?

tanks

billm

Which pf.conf config are you looking to replicate in pfSense?  Most options are available, but without knowing what you would do in pf.conf for your problem, I'm not sure anyone is going to have the right answer first time.

–Bill

st4rtx

i want set max connection per ip for stop  dos attack
in pfsense what option use for stop dos attack?(sym flood and tcp flood)

Nachtfalke

FIREWALL -> Rules:
Edit a firewall rule, scroll down to "Advanced Options" click on "advanced" button.
There is: "Maximum number of established connections per host"

Is this what you are looking for ?

st4rtx

yes its right but just in pfsense 2 .thanks for answer

but i have a problem when limits connection ,pfsense block my ip and not alow to view site how to alow block ip?

wallabybob

Add a firewall rule above the one limiting the connections. This rule should allow access from your IP.

Firewall rules are matched from the top down.

st4rtx

tanks for answer but my problem is for time of block a ip in tableblock
i find answer in this forums , tanks all

–----------------------------
The answer is:
First, install crontab package to help changes.

then, open services -> crontab

change line
*/60    *    *    *    *    root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot

to

*    *    *    *    *    root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 120 virusprot
or
*/2    *    *    *    *    root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 120 virusprot

The "-t 120" means block ip for two minutes, of course, you can change it to fit your needs.

After this, you can limit connections on your pfsense(eg. 10 per second  or 200 per ip or both).
if it reaches that limit, in 02 minutes your client can connect again.

But if you do not need to free blocked ip, you can change virusprot and sshlockout crontab  rule to check correctly if the default time '-t 3600' has reached.

The default rule checks every hour if the blocked ip has been blocked for 60 minutes. But if the ip address is blocked for 59 minutes when cron runs, it will take another 60 minutes to unblock it.

Consider a very huge firewall with these rules, if you wait 120 minutes to remove an ip from list you could get a very long list.
if you check every minute or every 5 minutes, you will check a smaller list.

With these change, you can setup a very huge dynamic rules that prevents DOS without any extra package.
Of course Snort, modproxy, and other security tools will improve security on your firewall.

I've tested on Pfsense 1.2.3 and 2.0