From owner-freebsd-pf@FreeBSD.ORG Wed May 14 15:15:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 312BE106566B for ; Wed, 14 May 2008 15:15:46 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (mail.violetlan.net [80.81.242.7]) by mx1.freebsd.org (Postfix) with ESMTP id EA9678FC14 for ; Wed, 14 May 2008 15:15:45 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id D063D11460; Wed, 14 May 2008 16:12:21 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id 857181142B; Wed, 14 May 2008 16:12:21 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Wed, 14 May 2008 16:10:21 +0100 (BST) Message-ID: <58644.217.41.34.61.1210777821.squirrel@www.violetlan.net> In-Reply-To: <482AEE64.8020209@radel.com> References: <63902.217.41.34.61.1210768578.squirrel@www.violetlan.net> <482AEE64.8020209@radel.com> Date: Wed, 14 May 2008 16:10:21 +0100 (BST) From: "Reinhold" To: "Jon Radel" , freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: Subject: Re: a few problems with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 15:15:46 -0000 On Wed, May 14, 2008 14:51, Jon Radel wrote: > Reinhold wrote: > > >> >> What I've also noticed is that in pf I have this rule >> pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp >> from any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn >> 15, >> max-src-conn-rate 2/1, overload flush global) >> >> When I'm getting the bad header thingy this rule doesn't work properly. >> It >> let all the traffic trough but it never blocks the bad guys. > > Which bad guys are you expecting to block? I just checked a couple > day's worth of logs and the fastest rate at which somebody was trying to > brute force my ssh server was 1 attempt every 2 seconds. Your rule won't > trigger until 2 attempts every 1 second or faster, and I don't think those > other limits are likely to get triggered either unless you see a lot more > "bad guys" than I do on random addresses. I find that > max-src-conn-rate 3/10 tends to cut off the more energetic ones. > > --Jon Radel > > I have almost the same rule on one of my 6.3 systems with 2/1 set and yesterday it cough 6 bad guys and today 2. I've made the change as you recommended. I actually was looking at a ssh attempt earlier this week and it was connecting at about 3 to 4 per second.