#!/usr/local/bin/bash # # Rate Limits for securing a network # # These will help log DOS attacks and keep internal DOS problems to a minimum # # need the following crontab entries for these to work: # */5 * * * * /sbin/ipfw -q resetlog 00215; /sbin/ipfw -q resetlog 00315; /sbin/ipfw -q resetlog 00415 >/dev/null 2>&1 # */10 * * * * /sbin/ipfw -q resetlog 00216 >/dev/null 2>&1 # */60 * * * * /sbin/ipfw -q resetlog 00217; /sbin/ipfw -q resetlog 00317; /sbin/ipfw -q resetlog 00417 >/dev/null 2>&1 # # # Zoidial, Inc. # Eric Thern eric@zoidial.com # April 2002 # # # ICMP Rate limits and logging # # rate limit icmp from any internal address to any external address # ipfw add 00210 pipe 1 icmp from 10.0.0.0/24 to any frag ipfw add 00210 pipe 1 icmp from 10.10.10.192/27 to any frag ipfw pipe 1 config bw 5Kbit/s queue 5Kbytes ipfw add 00211 pipe 2 icmp from 10.0.0.0/24 to any ipfw add 00211 pipe 2 icmp from 10.10.10.192/27 to any ipfw pipe 2 config bw 10Kbit/s queue 10Kbytes # # log icmp traffic # ipfw add 00215 count log logamount 100 icmp from any to any frag ipfw add 00216 count log logamount 100 icmp from any to any icmptypes 8,0 ipfw add 00217 count log logamount 50 icmp from any to 10.0.0.0/24 icmptypes 3,4,5,9,10,11,12,13,14,15,16,17,18 ipfw add 00217 count log logamount 50 icmp from any to 10.10.10.192/27 icmptypes 3,4,5,9,10,11,12,13,14,15,16,17,18 # # UDP Rate limits and logging # # rate limit udp from any internal address to any external address # ipfw add 00310 pipe 4 udp from 10.0.0.0/24 to any frag ipfw add 00310 pipe 4 udp from 10.10.10.192/27 to any frag ipfw pipe 4 config bw 40Kbit/s queue 10Kbytes ipfw add 00311 pipe 5 udp from 10.0.0.0/24 to any ipfw add 00311 pipe 5 udp from 10.10.10.192/27 to any ipfw pipe 5 config bw 40Kbit/s queue 20Kbytes # allow DNS and NTP to have their own pipe config ipfw add 00312 pipe 5 udp from any 53 to any ipfw add 00312 pipe 5 udp from any to any 53 ipfw add 00312 pipe 5 udp from any 123 to any 123 ipfw pipe 6 config bw 200Kbit/s queue 20Kbytes # # log udp traffic # ipfw add 00315 count log logamount 100 udp from any to any frag ipfw add 00317 count log logamount 50 udp from any to not 10.0.0.0/24 53 ipfw add 00317 count log logamount 50 udp from any to not 10.10.10.192/27 53 # # IGMP Rate limits and logging # # rate limit igmp from any internal address to any external address # ipfw add 00410 pipe 7 igmp from 10.0.0.0/24 to any frag ipfw add 00410 pipe 7 igmp from 10.10.10.192/27 to any frag ipfw pipe 7 config bw 5Kbit/s queue 5Kbytes ipfw add 00411 pipe 8 igmp from 10.0.0.0/24 to any ipfw add 00411 pipe 8 igmp from 10.10.10.192/27 to any ipfw pipe 8 config bw 5Kbit/s queue 5Kbytes # # log igmp traffic # ipfw add 00415 count log logamount 100 igmp from any to any frag ipfw add 00417 count log logamount 50 igmp from any to 10.0.0.0/24 ipfw add 00417 count log logamount 50 igmp from any to 10.10.10.192/27