Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Mar 2021 08:25:45 +0300
From:      Max <maximos@als.nnov.ru>
To:        freebsd-pf@freebsd.org
Subject:   Re: pflog and reason
Message-ID:  <82340a4c-619a-8efd-687c-ab0ecb9f65ef@als.nnov.ru>
In-Reply-To: <87a76e48-aa9f-f1e2-f303-92d2ee9576fb@sentex.net>
References:  <87a76e48-aa9f-f1e2-f303-92d2ee9576fb@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
You can use overload option.
"With the overload <table> state option, source IP addresses which hit 
either of the limits on established connections will be added to the 
named table."

pass out log quick on $if_lan inet proto tcp to $rdp_int port rdp keep 
state \
    (max-src-conn-rate 15/86400, overload <rdp-bruteforce> flush global)

# pfctl -t rdp-bruteforce -vTs
    222.214.161.232
         Cleared:     Thu Mar  4 08:09:50 2021

According to https://www.freebsd.org/cgi/man.cgi?query=pcap-filter&sektion=7
        reason code
           True if the packet was logged with the specified PF reason code.
           The known    codes are: match, bad-offset, fragment, short, 
normal-
           ize,  and    memory (applies    only to    packets logged by 
OpenBSD's or
           FreeBSD's    pf(4)).

11.03.2021 22:17, mike tancsa пишет:
> I am trying to track down the IPs that are hitting my src limits, but I
> dont seem them logged. According to
>
> https://www.freebsd.org/cgi/man.cgi?query=pflogd&sektion=8
>
> I should be able to see the reason something got blocked
>
> e.g. if I have something like
>
>
> pass in log on $outside_nic proto tcp from any to $http_server port 80
> keep state (max 25 max-src-conn-rate 2/60)
>
> How would I find the IP that is tripping up the max state rule or
> max-src-conn-rate ?
>
> Looking at
>
> pfctl -sinfo -v
>
> Limit Counters
>    max states per rule               293319            0.2/s
>    max-src-states                         0            0.0/s
>    max-src-nodes                          0            0.0/s
>    max-src-conn                           0            0.0/s
>    max-src-conn-rate                  10273            0.0/s
>    overload table insertion               0            0.0/s
>    overload flush states                  0            0.0/s
>
> The counters are increasing, but I never see it in pflog
>
> tcpdump -tttt -nei pflog0 -s0 reason state-limit or reason src-limit
>
>      ---Mike
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?82340a4c-619a-8efd-687c-ab0ecb9f65ef>