On 2018-12-20, Steve Fairhead <st...@fivetrees.com> wrote: > On 20/12/2018 13:20, tors...@cnc-london.net wrote: >> Try to add below to your pf.conf >> >> table <bruteforce> persist >> >> pass in on $ext_if inet proto tcp from any to $ext_if port 1194 \ >> (max-src-conn 10, max-src-conn-rate 30/5, \ >> overload <bruteforce> flush global) > > This is pretty much exactly what I have for ssh scanners (with different > limits). Aha! > > On 20/12/2018 13:20, pe...@bsdly.net wrote: > > The good thing about the pf.conf state tracking options is that they're > > service agnostic. > > That's the bit I wasn't entirely sure about - thanks. Makes sense now - > of course! It's nothing to do with service, just connections. D'oh! > > I now have a cunning plan, a plan so cunning etc etc. Thanks to all who > responded, on- and off-list.
That works for TCP. If you're running openvpn over UDP, as most people do, options are more limited - max-src-conn and max-src-conn-rate are not available. See the pf.conf manual for reasons.
