From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 19:34:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED6EC1065671 for ; Mon, 31 Mar 2008 19:34:27 +0000 (UTC) (envelope-from avonders@calarts.edu) Received: from muse2.calarts.edu (muse2.calarts.edu [198.182.157.28]) by mx1.freebsd.org (Postfix) with ESMTP id B86F38FC25 for ; Mon, 31 Mar 2008 19:34:27 +0000 (UTC) (envelope-from avonders@calarts.edu) Received: from [172.24.103.237] (librarylab-dhcp-172-24-103.calarts.edu [172.24.103.237] (may be forged)) (authenticated bits=0) by muse2.calarts.edu (8.14.2/8.14.2) with ESMTP id m2VJCYgu057732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 31 Mar 2008 12:12:34 -0700 (PDT) (envelope-from avonders@calarts.edu) Message-ID: <47F137A2.70400@calarts.edu> Date: Mon, 31 Mar 2008 12:12:34 -0700 From: Adam Vondersaar User-Agent: Thunderbird 2.0.0.12 (X11/20080226) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: problem with PF tables X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 19:34:28 -0000 I have had a production machine running for 6 months now using PF to block SSH brute force attacks. What seems to happen now is that the table is not staying open and PF can not add the IP to block. I am curious if anyone has ran in to such a problem. I am using the expiretable port to clear the tables with a cron job and here is an excerpt from the pf.conf: table persist block quick from pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22 \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 3/30, \ overload flush global) -Adam