Hi, I am bit surprised how this subject has spiralled. Interesting reading from all the comments and suggestions.
Nino > On 9 Jan 2019, at 1:23 pm, Jordan Geoghegan <jgeoghega...@gmail.com> wrote: > > > > On 01/08/19 18:08, tomr wrote: >> >> On 1/9/19 12:42 PM, Jordan Geoghegan wrote: >>> Yikes. Everything you are (erroneously) trying to do here can be done >>> without leaving your pf.conf. >>> >>> Remember, KISS. >>> >> Is there a way to add an address to a table from within a rule, or >> something to that effect? I can't see such an option. A la... >> >> block in quick on $ext_if to any port ! { $allowed_ports } add-to <badguys> >> >> >> (Otherwise I don't see how the whole show could be completed without >> logging, monitoring the log, then running pfctl, ie with leaving your >> pf.conf) > > Without wasting too much time on this, the "overload" example from the > pf.conf man page could be pretty easily adapted to meet the specified needs: > > pass in on egress proto tcp to egress port 22 keep state (max-src-conn-rate > 1/10, overload <bad_host> flush global) > > or to copy basically verbatim from the man page, (with only the src-conn-rate > and port number adjusted): > > block quick from <bad_hosts> > pass in on $ext_if proto tcp to $webserver port ssh keep state \ > (max-src-conn-rate 1/10, overload <bad_hosts> flush global) > > > I havent tested this personally, but it should be adequate. > > >