PF pf help

roundkat

New Member


Messages: 13

I run a DNS server that get amplification attacks on occasion.
The server does log queries and such.
Not a resource issue but weeding out all the attacks would be helpful.

Bind does have rate limiting but it still writes to the log files, query and named

I can easily tail the named.log and get the rate limited IPs and then add them to
a table but figured I would start with a single ip to make sure my pf.conf is correct.

The pf.conf I have works for the basics for updating FreeBSD versions and packages.

It doesn't however block the bad-ip so I must be missing something simple here.

******
Server - FreeBSD -11.2-RELEASE-p14
rc.conf
Code:
pf_enable="YES"                 # Enable PF (load module if required)
pf_flags="
# pf_rules="/etc/pf.conf"         # rules definition file for PF
correct pf.conf
Code:
ext_if="vmx0"
tcp_services = "{ ssh, domain, smtp , www ,https}"
udp_services = "{ domain, ntp }"
set skip on lo0
scrub in all
table <rate> persist
block in log all
block in quick on $ext_if from <rate> to any
pass in proto tcp to any port $tcp_services keep state
pass out proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
pass inet proto icmp from localhost to any keep state
pass inet proto icmp from any to ($ext_if) keep state
 
OP
OP
R

roundkat

New Member


Messages: 13

I had posted the wrong pf.conf...
------------------------------
Edit:
Here is what I am seeing from the pf.conf.
Code:
Wed Oct 09 02:27:12 ~
root@ #pfctl -t rate -T show | grep 111.27.27.93
   111.27.27.93

Rate limit log entry

09-Oct-2019 02:27:38.132 rate-limit: info: client @0x806ff7800 111.27.27.93#50005 (my.domain): rate limit slip response to 111.27.27.0/24 for my.domain IN ANY  (fa166c74)
query log entry
09-Oct-2019 02:27:43.445 queries: info: client @0x806ff7800 111.27.27.93#50006 (my.domain): query: my.domain IN ANY -E(0) (my.ip.address)
Not sure what I am missing.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,905
Messages: 31,199

I run a DNS server that get amplification attacks on occasion.
Fix the issue on your DNS server. Don't allow recursive queries from the internet. If you're not hosting an authoritative domain then don't allow queries from the internet at all.
 
OP
OP
R

roundkat

New Member


Messages: 13

DNS server is authoritative for a few domains.

named.conf - only allow for our subnets
options sections
Code:
 allow-recursion { our-nets; };
Here is a dig from my personal server (doing a dig for another domain that is authoritative on my.dns-server.com)
Code:
; <<>> DiG 9.12.4-P1 <<>> @my.dns-server.com ns authoritative-domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55746
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
Thx
 
OP
OP
R

roundkat

New Member


Messages: 13

tcpdump -n -e -ttt -i pflog0
doesn't match any rules..
Code:
00:00:00.002350 rule 0/0(match): block in on vmx0: 111.27.27.94.50005 > My-dns-server-IP.53: 16263 [1au] ANY? MY.DOMAIN. (36)
still looking for an answer..

thx
 
Top