1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PF rules for httpd

Discussion in 'Firewalls' started by atmosx, Sep 15, 2012.

  1. atmosx

    atmosx New Member

    Messages:
    67
    Likes Received:
    0
    Hello,

    I am going to use a FreeBSD with Nginx and a ruby (unicorn) app. I cannot use jails, I have a fairly secure system, since I'm the only use who has access to it... No other users laying around.

    Nginx will not feature any post form. Nginx is going server an octopress blog, which features static content and some javascript. There's no login mechanism since I do my changes locally and 'deploy' via SSH.

    Are there any PF rules that would help an httpd with possible break in attempts and DOS attacks? If yes can I see some examples to start getting ideas?

    thanks and best regards
     
  2. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
    PF works on layer 3/4. Almost all web based attacks happen above layer 7, on the application. There's nothing in PF that can prevent an application based attack.

    As for a DOS, you can rate limit some of the connections but with a proper DDoS your uplink will be completely saturated, no amount of filtering on your end of the pipe is going to change that.
     
  3. atmosx

    atmosx New Member

    Messages:
    67
    Likes Received:
    0
    Hello,

    rate limit will work I think. I'm not sure but if httpd scripts use threads (meaning simultaneous connections) to get results asap, rate-limit is a good way to go.

    Thanks for the hint
     
  4. shitson

    shitson New Member

    Messages:
    181
    Likes Received:
    0
    Are DOS attacks are problem with your site and What is your expected number of Hits per Day?
     
  5. atmosx

    atmosx New Member

    Messages:
    67
    Likes Received:
    0
    Hello here are the rules that I currently use, there's a problem with dnsmasq though, it doesn't supply IP's to the local network, which might make sense... Maybe I should change that to *any* instead of *$lan*.

    My httpd should not exceed 100-150 hits per day. Now receives less than 50. DOS attacks I think are not a problem, because my website is not receiving hits/notoriety of any sort so... I can hardly see it as a possible target from a bot-net or something.