You can use overload option.
"With the overload <table> state option, source IP addresses which hit
either of the limits on established connections will be added to the
named table."
pass out log quick on $if_lan inet proto tcp to $rdp_int port rdp keep
state \
(max-src-conn-rate 15/86400, overload <rdp-bruteforce> flush global)
# pfctl -t rdp-bruteforce -vTs
222.214.161.232
Cleared: Thu Mar 4 08:09:50 2021
According to https://www.freebsd.org/cgi/man.cgi?query=pcap-filter&sektion=7
reason code
True if the packet was logged with the specified PF reason code.
The known codes are: match, bad-offset, fragment, short,
normal-
ize, and memory (applies only to packets logged by
OpenBSD's or
FreeBSD's pf(4)).
11.03.2021 22:17, mike tancsa пишет:
I am trying to track down the IPs that are hitting my src limits, but I
dont seem them logged. According to
https://www.freebsd.org/cgi/man.cgi?query=pflogd&sektion=8
I should be able to see the reason something got blocked
e.g. if I have something like
pass in log on $outside_nic proto tcp from any to $http_server port 80
keep state (max 25 max-src-conn-rate 2/60)
How would I find the IP that is tripping up the max state rule or
max-src-conn-rate ?
Looking at
pfctl -sinfo -v
Limit Counters
max states per rule 293319 0.2/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 10273 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
The counters are increasing, but I never see it in pflog
tcpdump -tttt -nei pflog0 -s0 reason state-limit or reason src-limit
---Mike
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
