DoS prevention

  • Is it true that unless I explicitly define:

    • Maximum state entries this rule can create

    • Maximum number of unique source hosts

    • Maximum number of established connections per host

    • Maximum state entries per host

    • Maximum new connections / per second(s)

    • State Timeout in seconds

    in a firewall rule, that pfSense will not do any kind of DoS prevention on inbound NAT-ed ports (Port Forwarding)? In my lab when I flood a webserver NAT-ed behind pfSense, I see pfSense just relaying the DoS attack in its entirity to the web server.



  • For the most part, you cant stop DOS or DDoS attacks yourself, it is something your ISP needs to do because usually the attack is all about bandwidth with UDP packets.

    So unless you have a massive connection  (1Gb or more) little you can do about it.

    You can block UDP packets and also set your HTTP / HTTPs hosted sites to synstate in advance settings of your firewall rules, this will help with TCP:S (sys attack) packets.

  • Yes that's true. One person's DoS is lower than another person's average traffic, we don't put restrictions on things because it's impossible to do so in a means that's suitable for even a majority of people much less everyone.

  • thats the issue, and that is why Prolexic and Neustar are in business, let someone else worry about it, if you can afford it.

Log in to reply