Date: Tue, 11 Feb 2014 18:58:40 +0100 From: peter@bsdly.net (Peter N. M. Hansteen) To: freebsd-pf@freebsd.org Subject: Re: pf block IP immediately Message-ID: <877g91tttb.fsf@deeperthought.bsdly.net> In-Reply-To: <52FA3CA9.30806@lissyara.su> (skeletor@lissyara.su's message of "Tue, 11 Feb 2014 17:07:21 %2B0200") References: <52FA3CA9.30806@lissyara.su>
next in thread | previous in thread | raw e-mail | index | archive | help
"skeletor@lissyara.su" <skeletor@lissyara.su> writes: > I have a FreeBSD 9.2 amd64 with pf (build in kernel). > Can pf block some IP (sessions) immediately? Next rule can block only > new sessions, but currect open sessions stay open as long as they open by IP > > block quick from X.X.X.X to any > block quick from any to X.X.X.X > > Also, I can do pfctl -F sessions, but it flushes all sessions of all users. As already mentioned by others, you can kill state table entries with pfctl -k $host But that doesn't necessarily block outrighte. Df you want to block offenders based on some kind of identifiable behavior, you may want to look into setting up something with state tracking options and overload tables, much like the trap for rapid-fire brute force ssh groping (http://home.nuug.no/~peter/pf/en/bruteforce.html). But the technique is a general one and not limited to ssh or indeed to any specific protocol. Possible variations include setting up tiny queues, adding entries to the table of addresses you block manually, scripting the same based on parsing log files and probably a few more, limited only by your imagination. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?877g91tttb.fsf>