From owner-freebsd-pf@FreeBSD.ORG Mon May 15 04:24:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DE3B16A402 for ; Mon, 15 May 2006 04:24:14 +0000 (UTC) (envelope-from freebsd@azimut-tour.ru) Received: from azimutprint.ru (azimutprint.ru [217.15.145.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E63043D46 for ; Mon, 15 May 2006 04:24:13 +0000 (GMT) (envelope-from freebsd@azimut-tour.ru) Received: from azimutprint.ru (localhost [127.0.0.1]) by crom.azimutprint.ru (Postfix) with ESMTP id 770CEB851 for ; Mon, 15 May 2006 08:24:07 +0400 (MSD) Received: from [127.0.0.1] (greencomp.azimutprint.ru [192.168.1.2]) by crom.azimutprint.ru (Postfix) with ESMTP id 2B249B84E for ; Mon, 15 May 2006 08:24:07 +0400 (MSD) Message-ID: <44680266.2090007@azimut-tour.ru> Date: Mon, 15 May 2006 08:24:06 +0400 From: GreenX FreeBSD User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 04:24:14 -0000 Hi, I wish to make so: for that that the port ssh for certain IP would open, it is necessary in the beginning will be knocked on other port. While I have written about such rules: block all pass in quick on $int_if inet proto tcp from any to $int_if port http keep state (max-src-conn-rate 1/60, overload ) pass quick inet proto tcp from to $int_if port ssh They work, but there are some things not arranging me: - If to change port http for any other empty port (on http post, I have working apache) source IP does not get in the table though state it is created. - To be knocked it is necessary two times:) since max-src-conn-rate it is not allowed to set a zero. Somebody was engaged in similar distortions? Or somebody knows as to solve this task in another with PF? Best regards, GReenX.