a few problems with pf
Jon Radel
jon at radel.com
Wed May 14 13:51:44 UTC 2008
Reinhold wrote:
>
> What I've also noticed is that in pf I have this rule
> pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from
> any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn 15,
> max-src-conn-rate 2/1, overload <bruteforce> flush global)
>
> When I'm getting the bad header thingy this rule doesn't work properly. It
> let all the traffic trough but it never blocks the bad guys.
Which bad guys are you expecting to block? I just checked a couple
day's worth of logs and the fastest rate at which somebody was trying to
brute force my ssh server was 1 attempt every 2 seconds. Your rule
won't trigger until 2 attempts every 1 second or faster, and I don't
think those other limits are likely to get triggered either unless you
see a lot more "bad guys" than I do on random addresses. I find that
max-src-conn-rate 3/10 tends to cut off the more energetic ones.
--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080514/d11b9f4f/smime.bin
More information about the freebsd-pf
mailing list