From owner-freebsd-pf@FreeBSD.ORG Wed Jun 23 20:39:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F899106566B for ; Wed, 23 Jun 2010 20:39:58 +0000 (UTC) (envelope-from allicient3141@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id DC7D68FC0A for ; Wed, 23 Jun 2010 20:39:57 +0000 (UTC) Received: by bwz17 with SMTP id 17so536714bwz.13 for ; Wed, 23 Jun 2010 13:39:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=OQKc4duD+TQlh5r+Wxdhx+s4BBwVJ+7HU/w2hcmWTYQ=; b=KjvLPSAkw7rRNysBlhZiP5szOxxCjSSPbfb084g9/ZqGcWDzjchr8iXEBbgu4n8Av9 TNIWUJel7quHrb0mZXin6fhhW9e3d5jtIkh/mc8U4mNc6mvZWgtPCFSDyjEantxmtUBN Yix9ryHZGsXl7M44pwlkshN1PjxhwWbf/JHDo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=U6Q9lJFTaHd/5DjVpnfjd2WzlZ6wcKqzrzdT5IIcYeTy4UGa4hS9tYIuWNDXKvGozL WJc4Cair1fgd8eEvcgzVY6r7yLk1GK6JFvDFOIghT5xkr2Z1hMn+Eghef9HQ1WHGKGBH mEB1VZodRXraNact+apGQbFJTeaNcrY8qPqtk= MIME-Version: 1.0 Received: by 10.204.81.196 with SMTP id y4mr6125641bkk.75.1277324146659; Wed, 23 Jun 2010 13:15:46 -0700 (PDT) Sender: allicient3141@gmail.com Received: by 10.204.78.194 with HTTP; Wed, 23 Jun 2010 13:15:46 -0700 (PDT) In-Reply-To: References: <7114830758496124649@unknownmsgid> Date: Wed, 23 Jun 2010 21:15:46 +0100 X-Google-Sender-Auth: MMQvJ-9ExI1_tHQYV5yTUSazOTo Message-ID: From: Peter Maxwell To: claudiu vasadi Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: Re: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 20:39:58 -0000 Hmmm, off the top of my head: I wonder if you could use Snort and have that do full packet inspection for you. Then you should be able to script an alert if the string is found and call pfctl to add the offending IP address to a table that blackholes it. Just a thought. Or if you want to do it "properly", I'm sure you could code something along the lines of a kernel module. On 23 June 2010 20:30, claudiu vasadi wrote: > On Wed, Jun 23, 2010 at 9:18 PM, no name >wrote: > > > i can't recall it, was dc tcp or udp based? > > > > > "dc" ???? > > > The number of possible connections in a specific time frame does not help > if I have ~200-500 authentications requests/sec and I get 100-300 attacks > (D/DOS) per sec. I thought about that one long ago, and no matter on which > side I turn the problem, I always end up at the "impossible to filter > strings" wall. > > I know iptables can do it but a couple of months ago when I was asked to > conf. a linux box I went completely mad trying to learn iptables's syntax > (god it's ugly). This is why I would prefer to avoid linux here. Plus, I'm > dealing with pf way longer than iptables and linux for that matter (it was > ~6 years ago when I worked with linux last time) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >