problem with PF tables

Elliott Perrin elliott at c7.ca
Mon Mar 31 12:48:48 PDT 2008


On Mon, 2008-03-31 at 12:12 -0700, Adam Vondersaar wrote:
> I have had a production machine running for 6 months now using PF to 
> block SSH brute force  attacks. What seems to happen now is that the 
> table is not staying open and PF can  not add the IP to block. I am 
> curious if anyone has ran in to such a problem. I am using the 
> expiretable port to clear the tables with a cron job and here is an 
> excerpt from  the pf.conf:
> 
> table <bruteforce> persist
>  
> block quick from <bruteforce>
> 
> pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22 \
>         flags S/SA keep state \
>         (max-src-conn 10, max-src-conn-rate 3/30, \
>         overload <bruteforce> flush global)
> 
> 
> 
> -Adam
> 
> 

One problem I thing I can see right now is that your rule should maybe
be 

pass in log quick on $ext_if inet proto tcp from any to $ext_if port 22
flags S/SA keep state (max-src-conn 10, max-src-conn-rate
3/30, overload <bruteforce> flush global)

is there a reason you are not using quick on a rule that creates state
such as this?

If you do a 

pfctl -t bruteforce -Tshow -vv 

do you see recent entries? (might want to grep on today's / yesterdays
date to see when you stopped adding addresses to the table)

I do not know what the limit on table entries is off hand but you can
also quickly see how many addresses are in the table currently by doing 

pfctl -t bruteforce -Tshow | wc -l 

Again, don't know what the limits are on number of entries in a table
but check that and post it and perhaps if Max sees it he can tell you if
you have exceeded the limit. 

Cheers,
Elliott Perrin
elliott at c7.a



More information about the freebsd-pf mailing list