From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 19:48:47 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E601E106567B for ; Mon, 31 Mar 2008 19:48:47 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 4F2B68FC17 for ; Mon, 31 Mar 2008 19:48:47 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 2147 invoked by uid 89); 31 Mar 2008 19:48:46 -0000 Received: by simscan 1.2.0 ppid: 2142, pid: 2144, t: 0.1298s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 31 Mar 2008 19:48:46 -0000 From: Elliott Perrin To: Adam Vondersaar In-Reply-To: <47F137A2.70400@calarts.edu> References: <47F137A2.70400@calarts.edu> Content-Type: text/plain; charset=UTF-8 Date: Mon, 31 Mar 2008 15:46:38 -0400 Message-Id: <1206992798.2108.34.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: problem with PF tables X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 19:48:48 -0000 On Mon, 2008-03-31 at 12:12 -0700, Adam Vondersaar wrote: > I have had a production machine running for 6 months now using PF to > block SSH brute force attacks. What seems to happen now is that the > table is not staying open and PF can not add the IP to block. I am > curious if anyone has ran in to such a problem. I am using the > expiretable port to clear the tables with a cron job and here is an > excerpt from the pf.conf: > > table persist > > block quick from > > pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22 \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 3/30, \ > overload flush global) > > > > -Adam > > One problem I thing I can see right now is that your rule should maybe be pass in log quick on $ext_if inet proto tcp from any to $ext_if port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/30, overload flush global) is there a reason you are not using quick on a rule that creates state such as this? If you do a pfctl -t bruteforce -Tshow -vv do you see recent entries? (might want to grep on today's / yesterdays date to see when you stopped adding addresses to the table) I do not know what the limit on table entries is off hand but you can also quickly see how many addresses are in the table currently by doing pfctl -t bruteforce -Tshow | wc -l Again, don't know what the limits are on number of entries in a table but check that and post it and perhaps if Max sees it he can tell you if you have exceeded the limit. Cheers, Elliott Perrin elliott@c7.a