On Fri, Mar 05, 2010 at 05:04:03PM +0000, Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/03/2010 16:54:50, Matthias Fechner wrote: > > Hi, > > > > Am 05.03.10 17:01, schrieb Matthew Seaman: > >> table <ssh-bruteforce> persist > >> [...near the top of the rules section...] > >> block drop in log quick on $ext_if from<ssh-bruteforce> > >> > >> [...later in the rules section...] > >> pass in on $ext_if proto tcp \ > >> from any to $ext_if port ssh \ > >> flags S/SA keep state \ > >> (max-src-conn-rate 3/30, overload<ssh-bruteforce> flush global) > >> > > > > that is dangarous, if you use subversion over ssh you will sometimes get > > more then 10 requests in 30 seconds. > > That means you will also block users they are allowed to connect. > > Yes. Almost all of the time I use this I've also had a ssh-whitelist > table -- addresses that will never be blocked in this way. Like this: > > table <ssh-bruteforce> persist > table <ssh-whitelist> const { \ > 81.187.76.160/29 \ > 2001:8b0:151:1::/64 \ > } persist > > block drop in log quick on $ext_if from <ssh-bruteforce> > > pass in on $ext_if proto tcp \ > from <ssh-whitelist> to $ext_if port ssh \ > flags S/SA keep state > > pass in on $ext_if proto tcp \ > from !<ssh-whitelist> to $ext_if port ssh \ > flags S/SA keep state \ > (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) >
Ah. I see. That's clever. Rather than "overriding" the bruteforce list, which would require getting rid of "quick", you use whitelist to prevent things from ever going into the bruteforce table. Nice! I have just switched to pf from ipfw, so I am still learning the nuances and style points. -- John Lind j...@starfire.mn.org _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"