equivalent for pf's max-src-conn-rate in ipfw
Dmitry Selivanov
sd at mostnet.ru
Fri May 5 08:25:01 UTC 2017
you can try using "limit src-addr" keyword and maybe tune net.inet.ip.fw.dyn_syn_lifetime.
See "Examples/DYNAMIC RULES" section at ipfw(8).
05.05.2017 0:46, Marco van Tol пишет:
> Hi there,
>
> Possibly this questions pops up regularly. I have tried to find the answer myself and have been unable to so far.
>
> My current way to drastically slow-down ssh brute force attacks is by using the pf feature "max-src-conn-rate" with an argument of 5/60 meaning only 5 syn packets are allowed per source IP to my ssh port per minute. The rest get dropped. This works both for IPv4 and IPv6. I typically don't login more then 5 times per minute to my hosts.
>
> I have tried several ways to get the same behaviour using ipfw and dummynet. But when combining the rules with keep-state I don't get to the point where I get wire-speed ssh connections for those that make it while keeping the number of new connections per source IP at a very low number (a few per minute).
>
> Is there an equivalent in ipfw for the pf feature max-src-conn-rate?
>
> Thank you very much in advance, please keep cc'ing me as I have not subscribed to the ipfw list yet.
More information about the freebsd-ipfw
mailing list