From nobody Thu Aug 25 11:12:39 2022
X-Original-To: pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MD0gV6FXQz4ZHN5
	for <pf@mlmmj.nyi.freebsd.org>; Thu, 25 Aug 2022 11:12:54 +0000 (UTC)
	(envelope-from marcel@herrbischoff.com)
Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [157.90.240.191])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MD0gT6mXpz3wrT
	for <pf@freebsd.org>; Thu, 25 Aug 2022 11:12:53 +0000 (UTC)
	(envelope-from marcel@herrbischoff.com)
Received: from mailpod.herrbischoff.com (localhost [127.0.0.1])
	by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id efc5f155
	for <pf@freebsd.org>;
	Thu, 25 Aug 2022 13:12:44 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h=date
	:from:to:subject:message-id:references:mime-version:content-type
	:in-reply-to; s=hrbf; bh=ntiLDdTBmBwOUnxGPotPpbehjLq/hAJeo3G9WBA
	UJ4Y=; b=gcLLBNXH87iekuoV+ikMR17vPwidcXSkFpdJuY63kDZF4gbwooT4vDY
	QFW4t4hxN/LJsvy1mE77oCE4RxDcPRIhjd8/qhWk48sToYT0kV36aSo80OeNXCPz
	gBvpEB+NGirha8QXnvDSo7fqJHdVKKIEMisFvtZTQk+cz9PlKIOdPLjMwsPMrpdp
	vwTq68AAuw8kpOhNkdZYdBD+EUi7svTXHljOiJMur2PP+BkPIS1ikfMG1pYk59H7
	+EMX1jC3YPuSQCJVdH3E+NIsmxvg2nzFczUBvyQ/2mj91QS8549ci3rtvgZLq+hv
	TA7PiiKSoYL9zWrUAN2dwgwMMO4iWAQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h=date
	:from:to:subject:message-id:references:mime-version:content-type
	:in-reply-to; q=dns; s=hrbf; b=Us8gnPdT29pg80rkDqX9VjfwppKXiSgW5
	IHKkDemE9jA6FVNYdD2izbyqvU9wXYlgFe0BL6nHmcp2ie5ICtN2A8cBFHdEmC8n
	WQFJdnjtiXiCunEHwTRctpPuu1wdn7Jv7Jly5Cm68OSy9whVmD/iw5+b6hOl4vZS
	HOWMdi+ZgxbXV4mHLxsQBc9pZm2MgpW7y4r67PGhPzpFi8312KH48USJYpIMUqHe
	nqyXcISLPsF3M+DQfvxAth54ZBC4UjTRc5fEVrAaXfT3mDGCLhxyj0uAZ+Ojic9D
	J/2QXKfW3du5XPLFQ1Sd47o0h8pB/2Lu72PzmgW5LlibE9jNudXKw==
Received: 
	by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id 64e0ef88 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com
	for <pf@freebsd.org>;
	Thu, 25 Aug 2022 13:12:43 +0200 (CEST)
Date: Thu, 25 Aug 2022 13:12:39 +0200
From: Marcel Bischoff <marcel@herrbischoff.com>
To: pf@freebsd.org
Subject: Re: How to apply brute force rate limitings with rdr and pass rules
 under FreeBSD 13?
Message-ID: <YwdZJ0PloBTQG/ju@herrbischoff.com>
References: <PRAP251MB0567D1AA046EAE25E55B64F2DB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
 <80c07d5f-0fe3-03b5-28ed-b714ffa9438a@plan-b.pwste.edu.pl>
 <PRAP251MB056721E70D0440A99E8612FFDB729@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
 <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl>
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <59f85cee-aa5f-f59b-a31d-f2c146eeb086@plan-b.pwste.edu.pl>
X-Rspamd-Queue-Id: 4MD0gT6mXpz3wrT
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=herrbischoff.com header.s=hrbf header.b=gcLLBNXH;
	dmarc=pass (policy=reject) header.from=herrbischoff.com;
	spf=pass (mx1.freebsd.org: domain of marcel@herrbischoff.com designates 157.90.240.191 as permitted sender) smtp.mailfrom=marcel@herrbischoff.com
X-Spamd-Result: default: False [-5.00 / 15.00];
	DWL_DNSWL_MED(-2.00)[herrbischoff.com:dkim];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[herrbischoff.com,reject];
	R_DKIM_ALLOW(-0.20)[herrbischoff.com:s=hrbf];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	MLMMJ_DEST(0.00)[pf@freebsd.org];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:24940, ipnet:157.90.0.0/16, country:DE];
	DKIM_TRACE(0.00)[herrbischoff.com:+];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	FROM_HAS_DN(0.00)[];
	FREEFALL_USER(0.00)[marcel];
	ARC_NA(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org];
	TO_DN_NONE(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On 22/08/25, Marek Zarychta wrote:
>Unfortunately, I know of no real modern, decent PF-FAQ for FreeBSD. 

Same here. I wondered several times why that is. PF on FreeBSD is quite 
different from PF on OpenBSD, so the latter's documentation often gets 
you just halfway there.

Does anyone know of (and would care to share) a collection of annotated 
examples, covering common pitfalls as well?

/\/\