Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Mar 2008 15:46:38 -0400
From:      Elliott Perrin <elliott@c7.ca>
To:        Adam Vondersaar <avonders@calarts.edu>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: problem with PF tables
Message-ID:  <1206992798.2108.34.camel@kensho.c7.ca>
In-Reply-To: <47F137A2.70400@calarts.edu>
References:  <47F137A2.70400@calarts.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 2008-03-31 at 12:12 -0700, Adam Vondersaar wrote:
> I have had a production machine running for 6 months now using PF to 
> block SSH brute force  attacks. What seems to happen now is that the 
> table is not staying open and PF can  not add the IP to block. I am 
> curious if anyone has ran in to such a problem. I am using the 
> expiretable port to clear the tables with a cron job and here is an 
> excerpt from  the pf.conf:
> 
> table <bruteforce> persist
>  
> block quick from <bruteforce>
> 
> pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22 \
>         flags S/SA keep state \
>         (max-src-conn 10, max-src-conn-rate 3/30, \
>         overload <bruteforce> flush global)
> 
> 
> 
> -Adam
> 
> 

One problem I thing I can see right now is that your rule should maybe
be 

pass in log quick on $ext_if inet proto tcp from any to $ext_if port 22
flags S/SA keep state (max-src-conn 10, max-src-conn-rate
3/30, overload <bruteforce> flush global)

is there a reason you are not using quick on a rule that creates state
such as this?

If you do a 

pfctl -t bruteforce -Tshow -vv 

do you see recent entries? (might want to grep on today's / yesterdays
date to see when you stopped adding addresses to the table)

I do not know what the limit on table entries is off hand but you can
also quickly see how many addresses are in the table currently by doing 

pfctl -t bruteforce -Tshow | wc -l 

Again, don't know what the limits are on number of entries in a table
but check that and post it and perhaps if Max sees it he can tell you if
you have exceeded the limit. 

Cheers,
Elliott Perrin
elliott@c7.a

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1206992798.2108.34.camel>