diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-10-10 00:41:08 -0300 |
---|---|---|
committer | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-10-10 00:41:08 -0300 |
commit | b46cdd37023fccc545db507b939f70bf8af7f7a0 (patch) | |
tree | 97973314db94866396917fe235a352b205406e0b /config | |
parent | f6ab777ce082677fbdb7bb4bd972f347628c556f (diff) | |
download | pfsense-packages-b46cdd37023fccc545db507b939f70bf8af7f7a0.tar.gz pfsense-packages-b46cdd37023fccc545db507b939f70bf8af7f7a0.tar.bz2 pfsense-packages-b46cdd37023fccc545db507b939f70bf8af7f7a0.zip |
bind - add rate limit option
Diffstat (limited to 'config')
-rw-r--r-- | config/bind/bind.inc | 17 | ||||
-rw-r--r-- | config/bind/bind.xml | 52 |
2 files changed, 55 insertions, 14 deletions
diff --git a/config/bind/bind.inc b/config/bind/bind.inc index d1ff106f..4e01214a 100644 --- a/config/bind/bind.inc +++ b/config/bind/bind.inc @@ -72,7 +72,20 @@ $bind_conf .= <<<EOD max-cache-size $ram_limit;\n EOD; - + // check response rate limit option + //https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html + //http://ss.vix.su/~vjs/rl-arm.html + if ($bind['rate_enabled']=="on"){ + $rate_limit=($bind['rate_limit']?$bind['rate_limit']:"15"); + $log_only=($bind['log_only']=="no"?"no":"yes"); + $bind_conf .= <<<EOD + rate-limit { + responses-per-second {$rate_limit}; + log-only {$log_only}; + }; + +EOD; + } //check ips to listen on if (preg_match("/All/",$bind['listenon'])){ $bind_listenonv6="Any;"; @@ -97,7 +110,7 @@ EOD; } $bind_listenonv6=($bind_listenonv6==""?"none;":$bind_listenonv6); $bind_listenon=($bind_listenon==""?"none;":$bind_listenon); - print "<PRE>$bind_listenonv6 $bind_listenon"; + //print "<PRE>$bind_listenonv6 $bind_listenon"; if (key_exists("ipv6allow",$config['system'])){ $bind_conf .="\t\tlisten-on-v6 { $bind_listenonv6 };\n"; } diff --git a/config/bind/bind.xml b/config/bind/bind.xml index a3b9e572..97dc7012 100644 --- a/config/bind/bind.xml +++ b/config/bind/bind.xml @@ -125,6 +125,11 @@ </additional_files_needed> <fields> <field> + <type>listtopic</type> + <name>Daemon Settings</name> + <fieldname>temp01</fieldname> + </field> + <field> <fielddescr>Enable Bind</fielddescr> <fieldname>enable_bind</fieldname> <description><![CDATA[Enable DNS Bind on Server<br> @@ -132,6 +137,15 @@ <type>checkbox</type> <required/> </field> + <field> + <fielddescr>Listen-on</fielddescr> + <fieldname>listenon</fieldname> + <description><![CDATA[Enable Named to listen on.]]></description> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <multiple/> + </field> <field> <fielddescr>Enable logging</fielddescr> <fieldname>bind_logging</fieldname> @@ -151,27 +165,43 @@ <type>checkbox</type> </field> <field> - <fielddescr>Limitar Memory RAM</fielddescr> + <fielddescr>Limit Memory use</fielddescr> <fieldname>bind_ram_limit</fieldname> - <description>Limits the use of RAM for the DNS when much use does not exhaust the resources of the machine, recommend 256M</description> + <description>Limits RAM use for DNS server, recommend 256M</description> <type>input</type> <size>10</size> <default_value>256M</default_value> </field> <field> <type>listtopic</type> - <name>Listen on Interfaces</name> + <name>Response limit</name> <fieldname>temp01</fieldname> </field> <field> - <fielddescr>Listen-on</fielddescr> - <fieldname>listenon</fieldname> - <description><![CDATA[Enable Named to listen on.]]></description> - <type>interfaces_selection</type> - <showlistenall/> - <showvirtualips/> - <multiple/> + <fielddescr>Rate limit</fielddescr> + <fieldname>rate_enabled</fieldname> + <description>Limit/rate response queries to prevent DOS attack.</description> + <type>checkbox</type> + <enablefields>rate_limit,log_only</enablefields> + </field> + <field> + <fielddescr>Limit Action</fielddescr> + <fieldname>log_only</fieldname> + <description>Select what to do when a query reaches a limit.</description> + <type>select</type> + <options> + <option><name>Deny query</name><value>no</value></option> + <option><name>Log only</name><value>yes</value></option> + </options> + </field> + <field> + <fielddescr>limit</fielddescr> + <fieldname>rate_limit</fieldname> + <description>Set rate limit. Default to 15.</description> + <type>input</type> + <size>10</size> </field> + <field> <type>listtopic</type> <name>Forwarder Config</name> @@ -211,8 +241,6 @@ <custom_php_after_head_command> </custom_php_after_head_command> <custom_php_command_before_form> - bind_views_before_form_dest(&$pkg,"bindacls","name","listenonv6"); - bind_views_before_form_dest(&$pkg,"bindacls","name","listenon"); </custom_php_command_before_form> <custom_add_php_command> </custom_add_php_command> |