PF Firewall and other AntiDDoS measures

[Karbust 4715]

On 28/12/2017 at 12:57 PM, monarchis2 said:

Im getting kicked out after char slection.

Check this one:

Spoiler

# pf config by Tim Niederhausen

# Change the value to reflect your public interface. You can see this with ifconfig.
ext_if="vtnet0"

# Ports used for services
service_ports="{ 46825, 3306, 41144, 30033, 10011 }"

udp_ports="{ 9987 }"

# Ports used by Metin2
game_ports="{ 11002, 13000, 13001, 13002, 13099 }"

# IP addresses that should override the firewall rules, such as your web server.
table <trusted_hosts> const { 208.167.241.190, 208.167.241.185, 208.167.241.186, 208.167.241.183, 208.167.241.189, 108.61.78.147, 108.61.78.148, 108.61.78.149, 108.61.78.150 }

table <abusive_hosts> persist

set block-policy drop
set loginterface $ext_if
set skip on lo

scrub on $ext_if reassemble tcp no-df random-id

antispoof quick for { lo0 $ext_if }

block in

pass out all keep state
pass out on $ext_if all modulate state

pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>

# Allow ping in
block in inet proto icmp all icmp-type echoreq

# Rate limits, trial and error
pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

pass in on $ext_if proto udp to any port $udp_ports keep state (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

pass in on $ext_if proto tcp to any port $game_ports flags S/SA keep state (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

 

This one was working on my old server, see if it works for you...

Don't forget to edit the IP's and the ports, I had those IP's because teamspeak 3 server...

[Klaus 144]

 

 

table <trusted_hosts> const { 191.64.31.89 }

Hello,

Even if I add my IP in this field, still, if I forcefully get blocked, is it okay to not ignore all the rules for the IPs added in this field?

[servan12 0]

what rule can be written to access these ports only by ip?

 

ports : 22 & 3306

On 2/4/2014 at 7:41 AM, Shogun said:

Update April 2020

 

I have modified the rules to allow ipv6 connections, and added some comments.

 

Hello,
 

As I had just posted the file without any explanation of it, which is not really useful unless you are already familiar with pf, I have added a little tutorial.

This is a sample pf.conf file that you can use as a base to create your own for your Metin2 FreeBSDserver. As you can see it was originally made by Tim and I have used it ever since on my server.
 

If you host your website in a different IP address than your game server, it's a good idea to add it's IP to the trusted_hosts table (you can remove the dummy address that I placed there safely). Any host that you want to have "free access", that is, skip firewall rules, should be added there. IP addresses must be separated by commas.

 

Only the ports that you specify under service_ports and game_ports will be open. service_ports should generally include your SSH port, and 80 if you are running a web server.

 

We also apply packet scrubbing and a limit on the number of connections, both measures helpful against certain types of attacks.
 
Although this configuration allows UDP for ServerCheck to work, it is a good idea to completely block UDP, although you may need to change the login screen if you use a standard login so it doesn't show your channels as offline.
 

# pf config by Shogun on 4th April 2020 # This is a minimalistic configuration with basic rate limiting # Change the value to reflect your public interface. You can see this with ifconfig. ext_if="igb0" # A custom list with ports used for services (ssh, http, https) - we can also name them as per /etc/services # instead of using numbers. The commented out line would do the same as the previous one. service_ports="{ 22, 80, 443 }" #service_ports="{ ssh, http, https }" # Another custom list with ports used by Metin2 (these numbers are just an example, replace with all your # auth and game ports. db does not need to be publicly accessible) game_ports="{ 11002, 13001, 13002, 13003, 13004, 13099 }" # IP addresses that should override the firewall rules, such as your web server. # If you have many IP addresses to whitelist, you can keep them in a text file instead, one IP per line. # Unless you have a static IP, it's not a good idea to place your own IP address here. table <trusted_hosts> const { 83.122.73.44, 8.8.8.8 } # table <trusted_hosts> persist file "/var/db/trusted_hosts" table <abusive_hosts> persist # we drop blocked packets instead of returning them, as that would make us vulnerable to a RST flood # (flooding your own outbound connection responding to blocked packets) set block-policy drop # Set the interface we want to log set loginterface $ext_if # Do not process localhost connections set skip on lo # Sanitize packets scrub on $ext_if reassemble no-df random-id # Drop spoofed packets antispoof for { $ext_if } inet block log in pass in quick from <trusted_hosts> block in quick from <abusive_hosts> # Allow ping in pass in inet proto icmp all icmp-type echoreq # Allow connecting to our service and game ports as defined at the beginning of the file. # IP adresses with excessive connections will be blocked and placed in abusive_hosts table. # We are allowing only TCP connections on service ports, whereas we allow UDP and TCP for Metin2. # UDP is a potential risk for DDoS attacks and Metin2 only uses UDP to verify channel state # in the login screen, so you can safely block it by changing "{tcp,udp}" to just "tcp". # If you want the packets dropped instead of banning the IP, remove the ", overload <abusive_hosts> flush" part. # If you want offender IPs blocked in every port and not just the one they flooded, add "global" after flush # Please note that by itself, this offers very limited protection against all but the most basic and primitive # attacks. Don't expect this script to protect you from crafty attackers. pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush) pass in on $ext_if proto {tcp,udp} to any port $game_ports flags S/SA keep state (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush) # Same for ipv6 pass in on $ext_if inet6 proto tcp to any port $service_ports flags S/SA keep state (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush) pass in on $ext_if inet6 proto {tcp,udp} to any port $game_ports flags S/SA keep state (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush) # Let outbound connections through. Keep state means that the connection doesn't need to be # processed again by the firewall every time there is a packet sent back and forth. Note # that UDP does not keep state and is not affected by this setting. pass out all keep state pass out on $ext_if all modulate state

# pf config by Shogun on 4th April 2020
# This is a minimalistic configuration with basic rate limiting

# Change the value to reflect your public interface. You can see this with ifconfig.

ext_if="igb0"

# A custom list with ports used for services (ssh, http, https) - we can also name them as per /etc/services
# instead of using numbers. The commented out line would do the same as the previous one.

service_ports="{ 22, 80, 443 }"
#service_ports="{ ssh, http, https }"

# Another custom list with ports used by Metin2 (these numbers are just an example, replace with all your
# auth and game ports. db does not need to be publicly accessible)

game_ports="{ 11002, 13001, 13002, 13003, 13004, 13099 }"

# IP addresses that should override the firewall rules, such as your web server.
# If you have many IP addresses to whitelist, you can keep them in a text file instead, one IP per line.
# Unless you have a static IP, it's not a good idea to place your own IP address here.

table <trusted_hosts> const { 83.122.73.44, 8.8.8.8 }
# table <trusted_hosts> persist file "/var/db/trusted_hosts"

table <abusive_hosts> persist

# we drop blocked packets instead of returning them, as that would make us vulnerable to a RST flood
# (flooding your own outbound connection responding to blocked packets)
set block-policy drop
# Set the interface we want to log
set loginterface $ext_if
# Do not process localhost connections
set skip on lo
# Sanitize packets
scrub on $ext_if reassemble no-df random-id

# Drop spoofed packets
antispoof for { $ext_if } inet

block log in

pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>

# Allow ping in
pass in inet proto icmp all icmp-type echoreq

# Allow connecting to our service and game ports as defined at the beginning of the file.
# IP adresses with excessive connections will be blocked and placed in abusive_hosts table.
# We are allowing only TCP connections on service ports, whereas we allow UDP and TCP for Metin2.
# UDP is a potential risk for DDoS attacks and Metin2 only uses UDP to verify channel state
# in the login screen, so you can safely block it by changing "{tcp,udp}" to just "tcp".

# If you want the packets dropped instead of banning the IP, remove the ", overload <abusive_hosts> flush" part.
# If you want offender IPs blocked in every port and not just the one they flooded, add "global" after flush 

# Please note that by itself, this offers very limited protection against all but the most basic and primitive
# attacks. Don't expect this script to protect you from crafty attackers.

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)
pass in on $ext_if proto {tcp,udp} to any port $game_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

# Same for ipv6
pass in on $ext_if inet6 proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)
pass in on $ext_if inet6 proto {tcp,udp} to any port $game_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

# Let outbound connections through. Keep state means that the connection doesn't need to be
# processed again by the firewall every time there is a packet sent back and forth. Note
# that UDP does not keep state and is not affected by this setting.

pass out all keep state
pass out on $ext_if all modulate state

 

 

what rule can be written to access these ports only by ip?

 

ports : 22 & 3306

[Shogun 4464]

As long as you're blocking connections by default (block all or block in all should be your first rule) then you can just do this

 

table <trusted_hosts> const { youriphere,anotherip }

 

Pay attention to my example file to see where it's placed.

 

[servan12 0]

6 minutes ago, Shogun said:

As long as you're blocking connections by default (block all or block in all should be your first rule) then you can just do this

 

table <trusted_hosts> const { youriphere,anotherip }

 

Pay attention to my example file to see where it's placed.

 

 

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)
pass in on $ext_if proto {tcp,udp} to any port $game_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

service_ports anyone can enter within a certain limit I just want to be accessed by ip?

[Shogun 4464]

If you only want certain IPs to access those ports then either delete this rule:

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

(Or if you still want some of the service_ports to be publicly accessible just delete the ones you want to restrict from the service_ports list)

 

And then add the IP or IPs you want to allow in the trusted_hosts table. Those IPs are trusted so they can access any port regardless of rules.

 

That said, this is not the best way to secure either ssh or mysql, which should be done with SSH keys (and maybe changing the port to avoid the log spam from bruteforce attempts) and in MySQL, by binding the address to localhost and then using the SSH Tunnel option in Navicat instead of connecting directly to the port.

[servan12 0]

49 minutes ago, Shogun said:

If you only want certain IPs to access those ports then either delete this rule:

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state 
        (max-src-conn 64, max-src-conn-rate 32/5, overload <abusive_hosts> flush)

(Or if you still want some of the service_ports to be publicly accessible just delete the ones you want to restrict from the service_ports list)

 

And then add the IP or IPs you want to allow in the trusted_hosts table. Those IPs are trusted so they can access any port regardless of rules.

 

That said, this is not the best way to secure either ssh or mysql, which should be done with SSH keys (and maybe changing the port to avoid the log spam from bruteforce attempts) and in MySQL, by binding the address to localhost and then using the SSH Tunnel option in Navicat instead of connecting directly to the port.

I want to allow a thread for a single port, ; host ip access 3306 port as

[Shogun 4464]

Hey there,

 

Due to having some issues with the old config I rewrote it with the help of some online resources. I have update the OP with a newer version plus further help getting set up with it all. Comments welcome.

Edited January 26, 2021 by Shogun

[Thrall 169]

Thank you for the topic, comments and valuable information!

Well done.