PF to Preventing SMTP Brute Force Attacks
Jason Hellenthal
jhellenthal at dataix.net
Fri Jun 15 17:00:52 UTC 2012
On Fri, Jun 15, 2012 at 04:17:06PM -0000, Shiv. Nath wrote:
> Hi FreeBSD Gurus,
>
>
> i want to use PF to Preventing SMTP Brute Force Attacks. i need some help
> to understand correct syntax.
>
> URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopts
>
>
> i expect the following behavior from the PF rule below:
>
> Limit the absolute maximum number of states that this rule can create to 200
>
> Enable source tracking; limit state creation based on states created by
> this rule only
>
> Limit the maximum number of nodes that can simultaneously create state to 100
>
> Limit the maximum number of simultaneous states per source IP to 3
>
> Solution:
> int0="em0"
> trusted_tcp_ports="{22,25,443,465}"
>
pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep
state (max 200, source-track rule, max-src-nodes 100, max-src-states 3 )
I don't know if max will work here but this is what I use for a sshd
rule.
pass in log quick proto tcp from any port >1023 to any port 22 flags
S/SA keep state (max-src-conn 5, max-src-conn-rate 5/15 overload
<sshmart> flush global)
You should be using the syntax from pf41 through pf45. The URL you
referenced has a syntax that changed in pf46, pf47 onward...
--
- (2^(N-1))
More information about the freebsd-stable
mailing list