#!/usr/local/bin/bash # # Rate Limits for securing a network # # These will help log DOS attacks and keep internal DOS problems to a minimum # # need the following crontab entries for these to work: # */10 * * * * /sbin/ipfw -q resetlog 196; /sbin/ipfw -q resetlog 210; /sbin/ipfw -q resetlog 230 >/dev/null 2>&1 # */30 * * * * /sbin/ipfw -q resetlog 197 >/dev/null 2>&1 # */60 * * * * /sbin/ipfw -q resetlog 198; /sbin/ipfw -q resetlog 211; /sbin/ipfw -q resetlog 231 >/dev/null 2>&1 # */60 * * * * /sbin/ipfw -q resetlog 199; /sbin/ipfw -q resetlog 212; /sbin/ipfw -q resetlog 232 >/dev/null 2>&1 # # # Zoidial, Inc. # Eric Thern eric@zoidial.com # # April, 2002 - Initial Version # May 12, 2003 - Updated most rules and changed some of the limits to be more realistic. # July 16, 2003 - per-prefix rate limits and 'me' rules, updated delete statements # July 26, 2003 - updated logamount counts, switched around rule numbers so counts are *before* pipes # - this is needed if you have the sysctl set: net.inet.ip.fw.one_pass=1 (recommended) # # ### # # delete stale rules # ipfw -q delete 196 197 198 199 ipfw -q delete 201 202 ipfw -q delete 220 221 222 ipfw -q delete 210 211 212 ipfw -q delete 240 241 ipfw -q delete 230 231 232 ### # # ICMP Rate limits and logging # ---------------------------- # # rate limit icmp from any internal address to any external address # # log icmp traffic # # log fragmented traffic # ipfw -q add 196 count log logamount 100 icmp from any to any frag # # log more of icmp types 8 and 0 # ipfw -q add 197 count log logamount 100 icmp from any to any icmptypes 8,0 # # log the rest of 'em # ipfw -q add 198 count log logamount 30 icmp from any to me icmptypes 3,4,5,9,10,11,12,13,14,15,16,17,18 ipfw -q add 199 count log logamount 30 icmp from me to any icmptypes 3,4,5,9,10,11,12,13,14,15,16,17,18 # # pipes # # set up pipes for every single IP address # ipfw -q pipe 201 config bw 5Kbits/s queue 5Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 202 config bw 5Kbits/s queue 5Kbytes delay 0 mask dst-ip 0xffffffff # # rules # # fragmented traffic incoming/outgoing # ipfw -q add 201 pipe 201 icmp from me to any frag ipfw -q add 201 pipe 201 icmp from any to me frag # # all the rest incoming/outgoing # ipfw -q add 202 pipe 202 icmp from any to me ipfw -q add 202 pipe 202 icmp from me to any ### # # UDP Rate limits and logging # --------------------------- # # rate limit udp from any internal address to any external address # # log udp traffic # # log fragmented traffic # ipfw -q add 210 count log logamount 100 udp from any to any frag # # log udp that is not to/from port 53 (non dns traffic) # # note - this is the lame way to do it (ipfw) not ipfw2, ipfw2 allows "not" keywords # ipfw -q add 211 count log logamount 50 udp from any 0-52 to me 0-52 ipfw -q add 211 count log logamount 50 udp from any 0-52 to me 54-65535 ipfw -q add 212 count log logamount 50 udp from any 54-65535 to me 0-52 ipfw -q add 212 count log logamount 50 udp from any 54-65535 to me 54-65535 # # pipes # # set up pipes for every single IP address # ipfw -q pipe 220 config bw 20Kbits/s queue 10Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 221 config bw 120Kbits/s queue 20Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 222 config bw 20Kbits/s queue 10Kbytes delay 0 mask dst-ip 0xffffffff # # rules # # fragmented traffic incoming/outgoing # ipfw -q add 220 pipe 220 udp from me to any frag ipfw -q add 220 pipe 220 udp from any to me frag # # dns & ntp traffic # ipfw -q add 221 pipe 221 udp from any 53 to any ipfw -q add 221 pipe 221 udp from any to any 53 ipfw -q add 221 pipe 221 udp from any 123 to any 123 # # all the rest # ipfw -q add 222 pipe 222 udp from me to any ipfw -q add 222 pipe 222 udp from any to me ### # # IGMP Rate limits and logging # ---------------------------- # # rate limit igmp from any internal address to any external address # # log igmp traffic # # log fragmented traffic # ipfw -q add 230 count log logamount 100 igmp from any to any frag # # log any other igmp traffic # ipfw -q add 231 count log logamount 50 igmp from any to me ipfw -q add 232 count log logamount 50 igmp from me to any # # pipes # # set up pipes for every single IP address # ipfw -q pipe 240 config bw 5Kbits/s queue 5Kbytes delay 0 mask dst-ip 0xffffffff ipfw -q pipe 241 config bw 5Kbits/s queue 5Kbytes delay 0 mask dst-ip 0xffffffff # # rules # ipfw -q add 240 pipe 240 igmp from me to any frag ipfw -q add 240 pipe 240 igmp from any to me frag ipfw -q add 241 pipe 241 igmp from me to any ipfw -q add 241 pipe 241 igmp from any to me