Can pfSense protect against application-layer (Layer 7) DDoS attacks, and if so, how?

pfSense's native capabilities are primarily for network and transport layer (L3/L4) attacks. Protecting against application-layer (Layer 7) DDoS attacks is more challenging for pfSense alone but can be partially addressed: 1. **Rate Limiting with Limiters:** For HTTP/HTTPS floods, you can use traffic shaper limiters to restrict the number of new connections per second or overall bandwidth to web servers, though this can impact legitimate users. 2. **Custom Firewall Rules:** Crafting highly specific firewall rules based on known Layer 7 attack signatures (e.g., specific User-Agent strings, HTTP headers), if identifiable, is possible but reactive and hard to maintain. 3. **Integration with External WAF/CDN:** The most effective approach is to place a dedicated Web Application Firewall (WAF) or a CDN (Content Delivery Network) service like Cloudflare *in front* of pfSense. These services are specifically designed to analyze and filter Layer 7 traffic before it reaches your network, offloading the burden from pfSense and your internal servers. pfSense would then protect against any L3/L4 attacks that bypass the WAF/CDN or target other services.