Date: Fri, 5 May 2017 10:51:38 +0300 From: Dmitry Selivanov <sd@mostnet.ru> To: Marco van Tol <marco@tols.org>, freebsd-ipfw@freebsd.org Subject: Re: equivalent for pf's max-src-conn-rate in ipfw Message-ID: <e877e474-31ec-1244-8f75-bc5378431ba6@mostnet.ru> In-Reply-To: <F6AA6A38-CA06-49E8-AD8D-F6D8E4C26523@tols.org> References: <F6AA6A38-CA06-49E8-AD8D-F6D8E4C26523@tols.org>
next in thread | previous in thread | raw e-mail | index | archive | help
you can try using "limit src-addr" keyword and maybe tune net.inet.ip.fw.dyn_syn_lifetime. See "Examples/DYNAMIC RULES" section at ipfw(8). 05.05.2017 0:46, Marco van Tol пишет: > Hi there, > > Possibly this questions pops up regularly. I have tried to find the answer myself and have been unable to so far. > > My current way to drastically slow-down ssh brute force attacks is by using the pf feature "max-src-conn-rate" with an argument of 5/60 meaning only 5 syn packets are allowed per source IP to my ssh port per minute. The rest get dropped. This works both for IPv4 and IPv6. I typically don't login more then 5 times per minute to my hosts. > > I have tried several ways to get the same behaviour using ipfw and dummynet. But when combining the rules with keep-state I don't get to the point where I get wire-speed ssh connections for those that make it while keeping the number of new connections per source IP at a very low number (a few per minute). > > Is there an equivalent in ipfw for the pf feature max-src-conn-rate? > > Thank you very much in advance, please keep cc'ing me as I have not subscribed to the ipfw list yet.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e877e474-31ec-1244-8f75-bc5378431ba6>