Chris, Your /etc/bruteforce file will be read when pf loads its rules. Ip's added to the "bruteforce" table through the overload directive will _not_ be added to the /etc/bruteforce text file.
Can you see ips in the "bruteforce" table? pfctl -t bruteforce -T show If you want to dump those ips from the table to the text file you can always do "pfctl -t bruteforce -T show >> /etc/bruteforce" Hope this helps. OpenBSD Pf Firewall "how to" ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Wed, Apr 16, 2008 at 12:20:38PM +1000, Chris wrote: >I have some rules in my pf.conf for ssh brute force where it should >block and log the offending IP address in /etc/bruteforce file. I also >told syslog to log all ssh logging in /var/log/sshd. I can see some >failed login in /var/log/sshd but my /etc/bruteforce file is still >empty. Here's my pf.conf - > > >ext_if = "fxp0" > >tcp_services = "{80, 443, 123}" >udp_services = "{123}" >icmp_services = "{echo_req}" > >set block-policy drop >set loginterface $ext_if > >scrub in all fragment reassemble >scrub out all random-id fragment reassemble > >block all >pass quick on lo0 all >pass out quick on lo0 all > >table <bruteforce> persist file "/etc/bruteforce" > >block quick from <bruteforce> >antispoof log for { lo0, $ext_if } > >block drop in quick log on $ext_if inet6 all > >pass in log on $ext_if inet proto tcp from any to ($ext_if) port >$tcp_services flags S/SA keep state >pass in on $ext_if inet proto tcp from any to ($ext_if) port $udp_services > >pass inet proto tcp from any to any port ssh \ >flags S/SA keep state \ >(max-src-conn 10, max-src-conn-rate 5/3, \ >overload <bruteforce> flush global) > >pass out log on $ext_if inet proto tcp from any to any port $tcp_services > >block drop in quick on $ext_if from any to {255.255.255.255, 192.168.25.255} >block drop out quick on $ext_if inet proto icmp from any to {192.168.25.1} > >block quick from any os NMAP > >pass out log on $ext_if proto { tcp, udp, icmp } all keep state > >block drop out quick log on $ext_if inet proto tcp from any to port 22 > >Here's what I can see on my /var/log/sshd - > >Invalid user test from xxx.xx.xx.xx >input_userauth_request: invalid user test >Failed password for invalid user test from xxx.xx.xx.xx port 43734 ssh2 > >Is there anything I am doing wrong in my pf.conf? Thanks for any help.