From owner-freebsd-pf@FreeBSD.ORG Tue Feb 11 17:59:04 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B63678 for ; Tue, 11 Feb 2014 17:59:04 +0000 (UTC) Received: from skapet.bsdly.net (unknown [IPv6:2001:16d8:ff00:1a9::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E2AD71CE8 for ; Tue, 11 Feb 2014 17:59:03 +0000 (UTC) Received: from [192.168.103.44] (helo=deeperthought.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.80.1) (envelope-from ) id 1WDHba-00046d-SO; Tue, 11 Feb 2014 18:58:48 +0100 To: freebsd-pf@freebsd.org Subject: Re: pf block IP immediately References: <52FA3CA9.30806@lissyara.su> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Tue, 11 Feb 2014 18:58:40 +0100 In-Reply-To: <52FA3CA9.30806@lissyara.su> (skeletor@lissyara.su's message of "Tue, 11 Feb 2014 17:07:21 +0200") Message-ID: <877g91tttb.fsf@deeperthought.bsdly.net> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.22 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 17:59:04 -0000 "skeletor@lissyara.su" writes: > I have a FreeBSD 9.2 amd64 with pf (build in kernel). > Can pf block some IP (sessions) immediately? Next rule can block only > new sessions, but currect open sessions stay open as long as they open by IP > > block quick from X.X.X.X to any > block quick from any to X.X.X.X > > Also, I can do pfctl -F sessions, but it flushes all sessions of all users. As already mentioned by others, you can kill state table entries with pfctl -k $host But that doesn't necessarily block outrighte. Df you want to block offenders based on some kind of identifiable behavior, you may want to look into setting up something with state tracking options and overload tables, much like the trap for rapid-fire brute force ssh groping (http://home.nuug.no/~peter/pf/en/bruteforce.html). But the technique is a general one and not limited to ssh or indeed to any specific protocol. Possible variations include setting up tiny queues, adding entries to the table of addresses you block manually, scripting the same based on parsing log files and probably a few more, limited only by your imagination. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.