I run a DNS server that get amplification attacks on occasion.
The server does log queries and such.
Not a resource issue but weeding out all the attacks would be helpful.
Bind does have rate limiting but it still writes to the log files, query and named
I can easily tail the named.log and get the rate limited IPs and then add them to
a table but figured I would start with a single ip to make sure my pf.conf is correct.
The pf.conf I have works for the basics for updating FreeBSD versions and packages.
It doesn't however block the bad-ip so I must be missing something simple here.
******
Server - FreeBSD -11.2-RELEASE-p14
rc.conf
correct pf.conf
The server does log queries and such.
Not a resource issue but weeding out all the attacks would be helpful.
Bind does have rate limiting but it still writes to the log files, query and named
I can easily tail the named.log and get the rate limited IPs and then add them to
a table but figured I would start with a single ip to make sure my pf.conf is correct.
The pf.conf I have works for the basics for updating FreeBSD versions and packages.
It doesn't however block the bad-ip so I must be missing something simple here.
******
Server - FreeBSD -11.2-RELEASE-p14
rc.conf
Code:
pf_enable="YES" # Enable PF (load module if required)
pf_flags="
# pf_rules="/etc/pf.conf" # rules definition file for PF
Code:
ext_if="vmx0"
tcp_services = "{ ssh, domain, smtp , www ,https}"
udp_services = "{ domain, ntp }"
set skip on lo0
scrub in all
table <rate> persist
block in log all
block in quick on $ext_if from <rate> to any
pass in proto tcp to any port $tcp_services keep state
pass out proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
pass inet proto icmp from localhost to any keep state
pass inet proto icmp from any to ($ext_if) keep state