On 01/08/19 18:08, tomr wrote:
On 1/9/19 12:42 PM, Jordan Geoghegan wrote:
Yikes. Everything you are (erroneously) trying to do here can be done
without leaving your pf.conf.
Remember, KISS.
Is there a way to add an address to a table from within a rule, or
something to that effect? I can't see such an option. A la...
block in quick on $ext_if to any port ! { $allowed_ports } add-to <badguys>
(Otherwise I don't see how the whole show could be completed without
logging, monitoring the log, then running pfctl, ie with leaving your
pf.conf)
Without wasting too much time on this, the "overload" example from the
pf.conf man page could be pretty easily adapted to meet the specified needs:
pass in on egress proto tcp to egress port 22 keep state
(max-src-conn-rate 1/10, overload <bad_host> flush global)
or to copy basically verbatim from the man page, (with only the
src-conn-rate and port number adjusted):
block quick from <bad_hosts>
pass in on $ext_if proto tcp to $webserver port ssh keep state \
(max-src-conn-rate 1/10, overload <bad_hosts> flush global)
I havent tested this personally, but it should be adequate.
