hex-string iptables ipfw

Защита от HLDSFlood
iptables -A INPUT -p udp -m udp -m string --hex-string "|17c74a30a2fb752396b63532b1bf79b0|" --algo kmp -j DROP
iptables -A INPUT -p udp -m udp -m string --hex-string "|17951a20e2ab6d63d6ac7d62f1f721e057cd4270e2f1357396f66522f1ed61f0|" --algo kmp -j DROP
iptables -A INPUT -p udp -m udp -m string --hex-string "|178f5230e2e17d73d6bc6562f1ed29e0|" --algo kmp -j DROP
iptables -A INPUT -p udp -m udp -m string --hex-string "|d50000806e000000|" --algo kmp -j DROP
iptables -A INPUT -p udp -m udp -m string --hex-string "|ffffffff6765746368616c6c656e6765000000000000|" --algo kmp -j DROP


/sbin/iptables -A FORWARD -m udp -p udp -m string --hex-string "|0000000000380000|" --algo bm --from 36 --to 45 -j DROP
/sbin/iptables -A FORWARD -m udp -p udp -m string --hex-string "|7F FF FF FF AB|" --algo bm --from 40 --to 44 -j DROP
/sbin/iptables -A FORWARD -m udp -p udp -m string --hex-string "|7F FF FF FF 00 03 20 00|" --algo bm --from 36 --to 43 -j DROP
/sbin/iptables -A FORWARD -m udp -p udp -m string --hex-string "|00 38 00 00 00 01 00 00|" --algo bm --from 40 --to 47 -j DROP


iptables -A FORWARD -p udp -m length --length 61 -m string --hex-string "|7F FF FF FF|" --algo kmp --from 40 --to 44 -j DROP


FreeBSD через ng_bpf
#!/bin/sh
 
kldload ng_bpf
kldload ng_tag
kldload ng_ipfw
 
/usr/sbin/ngctl -f- < <-SEQ
        mkpeer ipfw: bpf 61 ipfw_hook61
        name ipfw:61 bpf_utp_filter
        mkpeer bpf_utp_filter: tag matched tag_utp
        name bpf_utp_filter:matched tag_utp_tagger
SEQ
 
ngctl msg bpf_utp_filter: setprogram { thisHook=\"ipfw_hook61\" ifNotMatch=\"ipfw_hook61\" ifMatch=\"matched\" bpf_prog_len=12 bpf_prog=[ { code=48 jt=0 jf=0 k=0 } { code=84 jt=0 jf=0 k=240 } { code=21 jt=0 jf=8 k=64 } { code=48 jt=0 jf=0 k=9 } { code=21 jt=0 jf=6 k=17 } { code=40 jt=0 jf=0 k=6 } { code=69 jt=4 jf=0 k=8191 } { code=177 jt=0 jf=0 k=0 } { code=64 jt=0 jf=0 k=20 } { code=21 jt=0 jf=1 k=2147483647 } { code=6 jt=0 jf=0 k=65535 } { code=6 jt=0 jf=0 k=0 } ] }
ngctl msg bpf_utp_filter: setprogram { thisHook=\"matched\" ifMatch=\"ipfw_hook61\" bpf_prog_len=1 bpf_prog=[ { code=6 jt=0 jf=0 k=96 } ] }
ngctl msg tag_utp_tagger: sethookin { thisHook=\"tag_utp\" ifNotMatch=\"tag_utp\" }
ngctl msg tag_utp_tagger: sethookout { thisHook=\"tag_utp\" tag_cookie=1148380143 tag_id=61 }
 
ipfw add netgraph 61 udp from any to any iplen 0-61
ipfw add deny udp from any to any tagged 0-61
 
# to test outgoing - tcpdump -pni Out_Interface "ip[40:4]=0x7FFFFFFF" and "ip[44:1]=0xab" and ether src Ext_If_Mac


снятие
tcpdump -Xni vlan0 "ip[40:4]=0x7FFFFFFF and ip[44:1]=0xAB"


kldload ng_ipfw
# ngctl mkpeer ipfw: bpf 127 ipfw
# ngctl name ipfw:127 utp_filter
# ngctl name ipfw:127 pptp_utp_filter
# ngctl msg pptp_utp_filter: setprogram '{ thisHook="ipfw" ifMatch="matched" ifNotMatch="ipfw" bpf_prog_len=36 bpf_prog=[ { code=0xb1 } { code=0x40 } { code=0x54 k=4286578687 } { code=0x15 jf=31 k=805406731 } { code=0x50 k=1 } { code=0x54 k=128 } { code=0x74 k=5 } { code=0x4 k=12 } { code=0xc } { code=0x7 } { code=0x48 } { code=0x15 jf=3 k=65283 } { code=0x87 jf=3 } { code=0x4 k=2 } { code=0x7 } { code=0x50 } { code=0x15 jf=3 } { code=0x87 jf=3 } { code=0x4 k=1 } { code=0x7 } { code=0x50 } { code=0x15 jf=13 k=33 } { code=0x87 jf=3 } { code=0x4 k=1 } { code=0x7 } { code=0x50 k=9 } { code=0x15 jf=8 k=17 } { code=0x50 } { code=0x54 k=15 } { code=0x64 k=2 } { code=0xc } { code=0x7 } { code=0x40 k=20 } { code=0x15 jf=1 k=2147483647 } { code=0x6 k=65535 } { code=0x6 } ] }'
# sysctl net.inet.ip.fw.one_pass=0
# ipfw add 127 netgraph 127 gre from any to any via ng0
# ngctl msg pptp_utp_filter: getstats '"ipfw"'



/usr/sbin/ngctl -f- <<-SEQ
        mkpeer ipfw: bpf 61 ipfw_hook61
        name ipfw:61 bpf_utp_filter
        mkpeer bpf_utp_filter: tag matched tag_utp
        name bpf_utp_filter:matched tag_utp_tagger
SEQ

ngctl msg bpf_utp_filter: setprogram { thisHook=\"ipfw_hook61\" ifNotMatch=\"ipfw_hook61\" ifMatch=\"matched\" bpf_prog_len=12 bpf_prog=[ { code=48 jt=0 jf=0 k=0 } { code=84 jt=0 jf=0 k=240 } { code=21 jt=0 jf=8 k=64 } { code=48 jt=0 jf=0 k=9 } { code=21 jt=0 jf=6 k=17 } { code=40 jt=0 jf=0 k=6 } { code=69 jt=4 jf=0 k=8191 } { code=177 jt=0 jf=0 k=0 } { code=64 jt=0 jf=0 k=20 } { code=21 jt=0 jf=1 k=2147483647 } { code=6 jt=0 jf=0 k=65535 } { code=6 jt=0 jf=0 k=0 } ] }
ngctl msg bpf_utp_filter: setprogram { thisHook=\"matched\" ifMatch=\"ipfw_hook61\" bpf_prog_len=1 bpf_prog=[ { code=6 jt=0 jf=0 k=96 } ] }
ngctl msg tag_utp_tagger: sethookin { thisHook=\"tag_utp\" ifNotMatch=\"tag_utp\" }
ngctl msg tag_utp_tagger: sethookout { thisHook=\"tag_utp\" tag_cookie=1148380143 tag_id=61 }


ipfw add netgraph 61 udp from any to any iplen 0-61
ipfw add deny udp from any to any tagged 0-61




sysctl net.inet.ip.fw.one_pass=0

почитать
http://citrin.ru/freebsd:ng_ipfw_ng_bpf