PF(Packet Filter)\ub294 BSD\uc6a9 \ubc29\ud654\ubcbd\uc785\ub2c8\ub2e4. \uc6d0\ub798 IPF\ub77c\uace0 \uac1c\uc778\uc774 \ub9cc\ub4e0 \uacf5\uac1c \ubc29\ud654\ubcbd\uc774 \uc788\uc5b4\uc11c, \uc5ec\ub7ec BSD \uacc4\uc5f4 UNIX\uc5d0\uc11c \uc8fc\ub85c \uc0ac\uc6a9\ud558\uc600\uc5c8\uc2b5\ub2c8\ub2e4. \ub2e4\ub978 \uac1c\ubc1c\uc790\ub4e4\uc774 \ub77c\uc774\uc13c\uc2a4\uc5d0 \ub300\ud574 \uba85\ud655\ud558\uc9c0 \uc54a\uc740 \ubd80\ubd84\uc5d0 \ub300\ud574\uc11c \uc124\uba85 \uc694\uad6c\uc5d0 \ub300\ud55c \uc751\ub2f5\uc5d0 \ub9cc\uc871\ud558\uc9c0 \ubabb\ud55c \uc624\ud508\uc18c\uc2a4 \uac1c\ubc1c\uc790\ub4e4\uc774 \uc0c8\ub86d\uac8c \ub9cc\ub4e0 \ubc29\ud654\ubcbd\uc774 PF\uc785\ub2c8\ub2e4. \uc815\ub9d0 \ub108\ubb34\ub098\ub3c4 \ube60\ub974\uac8c, IPF\uc640 \uae30\ub2a5\uc740 \uc720\uc0ac\ud558\uac8c \ub9cc\ub4e4\uc5b4\uc84c\uc2b5\ub2c8\ub2e4. IPF\ub294 \uc18c\uc2a4\ub294 \uacf5\uac1c\uc600\uc9c0\ub9cc, \uc18c\uc2a4 \ubd84\uae30\ub294 \ud5c8\uc6a9\ud558\uc9c0 \uc54a\uace0 \uc6d0 \uac1c\ubc1c\uc790\uac00 \ud544\uc694\ud55c \ud328\uce58\ub9cc \ud574\uc11c \ud558\ub098\uc758 \ubc84\uc804\uc744 \uc720\uc9c0\ud558\uaca0\ub2e4\uace0 \ud588\uc5c8\uc2b5\ub2c8\ub2e4…<\/p>\n
\ud558\uc5ec\uac04 PF\uac00 OpenBSD \uac1c\ubc1c\uc790\ub4e4\uc5d0 \uc758\ud574\uc11c \uc21c\uc2dd\uac04\uc5d0 \ub9cc\ub4e4\uc5b4\uc9c0\uace0, \uc5ec\ub7ec\uac1c\ubc1c\uc790\ub4e4\uc774 \ucc38\uc5ec\uac00 \uac00\ub2a5\ud588\uae30 \ub54c\ubb38\uc5d0 \uae08\ubc29 \uc5ec\ub7ec\uac00\uc9c0 \ucd94\uac00 \uae30\ub2a5\ub4e4\uc774 \uad6c\ud604\ub410\uc2b5\ub2c8\ub2e4. \uc624\ud508 \uc18c\uc2a4 \ucd5c\uace0\uc758 \ubc29\ud654\ubcbd\uc73c\ub85c \uc790\ub9ac \uc7a1\uc558\uace0, \uc0c1\uc6a9 \ubc29\ud654\ubcbd\uc774 \uac16\ucd94\uc9c0 \ubabb\ud55c \uc88b\uc740 \uae30\ub2a5\ub4e4\ub3c4 \ub9ce\uc774 \uac00\uc9c0\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n
FreeBSD\uc5d0\uc11c PF \ubc29\ud654\ubcbd\uc744 \uc0ac\uc6a9\ud558\ub824\uba74 \/etc\/rc.conf \uc5d0<\/p>\n
<\/div>\n
\ub97c \ucd94\uac00\ud574\uc57c\ud569\ub2c8\ub2e4.<\/p>\n
\uc815\ucc45 \uc124\uc815\uc740 \/etc\/pf.conf <\/span>\uc5d0\uc11c \ud569\ub2c8\ub2e4.<\/p>\n \uc124\uc815 \ud30c\uc77c\uc5d0\uc11c \uac00\uc7a5 \uc911\uc694\ud55c \ubd80\ubd84\uc740 pass\/block\uc774\uc8e0…<\/p>\n 1.2.3.x \uc5d0\uc11c \uc624\ub294 \ubaa8\ub4e0 udp \ud328\ud0b7\uc744 \ub9c9\uace0 \uc2f6\ub2e4\uba74…<\/p>\n <\/div>\n 80\ud3ec\ud2b8\ub85c \uc624\ub294 \uac78 \uc5f4\uc5b4\uc8fc\uace0 \ub85c\uadf8\ub85c \ub0a8\uae30\uace0 \uc2f6\uc73c\uba74,<\/p>\n <\/div>\n keep state\ud558\uba74 \uc0dd\uc131\ub41c TCP \uc138\uc158\uc5d0 \ub300\ud574\uc11c \ub4e4\uc5b4\uc624\uace0 \ub098\uac00\ub294 \ud328\ud0b7\uc774 \ubc29\ud654\ubcbd\uc744 \ud1b5\uacfc\ud569\ub2c8\ub2e4.<\/p>\n \ud328\ud0b7\uc774 \uc654\uc744\ub54c \uc704\uc5d0\uc11c \ubd80\ud130 \ube44\uad50\uac00 \ub418\uba70… \ub9e8 \ub9c8\uc9c0\ub9c9 \ub9e4\uce58\uac00 \uc120\ud0dd\ub429\ub2c8\ub2e4. \uc544\ub798\ub294 \ud604\uc7ac \uc0ac\uc6a9\uc911\uc778 \uc124\uc815\uc785\ub2c8\ub2e4. \ucd94\uac00\uc801\uc778 \ubcf4\uc548 \uad00\ub828 \uc124\uc815\uc774 \uc5ec\ub7ec\uac00\uc9c0 \uc788\uc2b5\ub2c8\ub2e4..<\/p>\n set limit { states 80000, frags 5000 }<\/p>\n set block-policy drop<\/p>\n set skip on lo0<\/p>\n scrub in all block in all table <bruteforce> persist block in quick log proto tcp from <bruteforce> to port 80 pass in on $ext_if proto tcp from any to $ext_if port 22 \\ \uc704\uc5d0 \uc124\uc815\uc5d0\uc11c ssh\ub098 http\ub85c \ud558\ub098\uc758 IP\uc5d0\uc11c \uc5ec\ub7ec\uac1c\uc758 \uc694\uccad\uc774 \ud55c\ubc88\uc5d0 \uc624\uba74 \ub9c9\ub294 \uae30\ub2a5\uc774 \ub3d9\uc791\ud569\ub2c8\ub2e4. HTTP\uc758 \uacbd\uc6b0 \ucd5c\ub300 100\uac1c\uc758 \ub3d9\uc2dc \uc5f0\uacb0, 10\ucd08\uac04 300\uac1c \uc774\uc0c1\uc758 \uc5f0\uacb0\uc774 \ubc1c\uc0dd\ud558\uac8c \ub418\uba74 \uacf5\uaca9\uc790\ub85c \uc778\uc2dd\ud558\uace0 \uae30\uc874 \uc5f0\uacb0\uc744 \ubaa8\ub450 \ub04a\uc5b4\ubc84\ub9ac\uace0 \uc5f0\uacb0\uc744 \ub9c9\uc2b5\ub2c8\ub2e4.<\/p>\n \ud55c\ubc88 \ub4f1\ub85d\ub418\uba74 \ubc29\ud654\ubcbd \uc7ac\uc2dc\uc791 \uc804\uc5d0\ub294 \ud574\ub2f9 IP\uc5d0\uc11c \uc5f0\uacb0\uc774 \uc548\ub429\ub2c8\ub2e4. \uc77c\uc815 \uae30\uac04\uc774 \uc9c0\ub098\uba74 \ud480\ub9ac\uac8c \ud558\ub294 \ubc29\ubc95\uc740 expiretable\ub97c \uc0ac\uc6a9\ud558\uba74 \uac00\ub2a5\ud569\ub2c8\ub2e4.<\/p>\n FreeBSD\uc5d0\uc11c\ub294<\/p>\n # \/usr\/local\/sbin\/expiretable -t 2h bruteforce<\/p><\/div>\n 2\uc2dc\uac04 \uc774\uc0c1 \uc9c0\ub09c IP\ub97c \ud480\uc5b4\uc8fc\ub294 \uba85\ub839\uc73c\ub85c crontab\uc5d0 \ub4f1\ub85d\ud574\uc11c \uc0ac\uc6a9\ud558\uba74 \ub429\ub2c8\ub2e4.<\/p>\n \ucd5c\uc2e0 \ubc84\uc804 PF\ub97c \uc0ac\uc6a9\ud558\uba74 pfctl\ub85c \uac19\uc740 \uae30\ub2a5\uc744 \ud560\uc218 \uc788\ub2e4\uace0 \ud569\ub2c8\ub2e4.<\/p>\n \ubc29\ud654\ubcbd \uc2dc\uc791, \uc7ac\uc2dc\uc791, \uc124\uc815 \ud30c\uc77c \ub2e4\uc2dc \uc77d\uae30, \uc885\ub8cc \ubc29\ubc95:<\/p>\n <\/div>\n \ubc29\ud654\ubcbd \ub85c\uadf8\ub97c \uc2e4\uc2dc\uac04\uc73c\ub85c \ubcf4\ub294 \ubc29\ubc95<\/p>\n <\/div>\n \uc313\uc778 \ub85c\uadf8\ub97c \ubcf4\ub294 \ubc29\ubc95<\/p>\n <\/div>\n \ubc29\ud654\ubcbd \uc0c1\ud0dc \ubcf4\uae30<\/p>\n \ubc29\ud654\ubcbd \uacf5\uaca9 IP \ubcf4\uae30<\/p>\n \ub9c8\uc9c0\ub9c9\uc73c\ub85c… \uc6d0\uaca9\uc5d0\uc11c \ubc29\ud654\ubcbd \uc798\ubabb \uc124\uc815\ud558\uba74 IDC\ub85c \ud280\uc5b4\uac00\uc57c\ud569\ub2c8\ub2e4. \ud55c\uac00\uc9c0 \ud130\ub4dd\ud55c \ubc29\ubc95\uc740…<\/p>\n restart\ubcf4\ub2e4\ub294 reload\uac00 \uadf8\ub098\ub9c8 \uc548\uc804\ud569\ub2c8\ub2e4. reload\ud560 \ub54c\ub294 \uc138\uc158 \ud14c\uc774\ube14\uc774 \ucd08\uae30\ud654 \ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.<\/p>\n DDoS\uc758 \uacf5\uaca9\uc758 \uc885\ub958\uac00 \ub9ce\uace0 \uc5b4\ub514\uac00 bottleneck\uc774 \ub418\ub290\ub0d0\uc5d0 \ub530\ub77c \ud574\uacb0\ubc29\ubc95\uc774 \ud2c0\ub824\uc9d1\ub2c8\ub2e4. \uc11c\ubc84 \uc790\uccb4\uc758 \ubd80\ud558\ub97c \uc77c\uc73c\ucf1c \uc11c\ube44\uc2a4 \uac70\ubd80 \uacf5\uaca9\uc744 \ubc1b\ub294 \uacbd\uc6b0 PF\ub85c \ub9ce\uc740 \uacf5\uaca9\uc744 \ub9c9\uc744\uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n
from \uc8fc\uc18c\/\ub9c8\uc2a4\ud06c\ube44\ud2b8 port \ud3ec\ud2b8<\/span>
to \uc8fc\uc18c\/\ub9c8\uc2a4\ud06c\ube44\ud2b8 port \ud3ec\ud2b8<\/span><\/div>\n<\/div>\n<\/div>\n
<\/div>\n<\/div>\n
\ub2e8, quick\uc774 \uc124\uc815\ub418\uc5b4 \uc788\uc73c\uba74 \uadf8 \ub9e4\uce58\uac00 \uc120\ud0dd\ub429\ub2c8\ub2e4.<\/p>\n
antispoof for $ext_if<\/p>\n
block out all<\/p>\n
table <sshbruteforce> persist<\/p>\n
block in quick log proto tcp from <sshbruteforce> to port 22<\/p>\n
flags S\/SA keep state \\
(max-src-conn-rate 10\/30, overload <sshbruteforce> flush global)
pass in on $ext_if proto tcp from any to $ext_if port 80 \\
flags S\/SA synproxy state
pass in on $ext_if proto tcp from any to $ext_if port 80 \\
flags S\/SA keep state \\
(max-src-conn 100, max-src-conn-rate 300\/10, \\
overload <bruteforce> flush global)<\/div>\n<\/div>\n
# make install<\/p>\n
# \/etc\/rc.d\/pf restart
# \/etc\/rc.d\/pf reload
# \/etc\/rc.d\/pf stop
# \/etc\/rc.d\/pflog start
# \/etc\/rc.d\/pflog stop<\/div>\n
# pfctl -vvs all (\ubcf4\ub2e4 \uc790\uc138\ud55c \uc815\ubcf4 \ubcf4\uae30)<\/div>\n<\/div>\n
\uc2e0\uc911\uc744 \uae30\ud574\uc57c\ud569\ub2c8\ub2e4.<\/p>\n