Hi,
I am bit surprised how this subject has spiralled. Interesting reading from all
the comments and suggestions.
Nino
> On 9 Jan 2019, at 1:23 pm, Jordan Geoghegan <jgeoghega...@gmail.com> wrote:
>
>
>
> On 01/08/19 18:08, tomr wrote:
>>
>> On 1/9/19 12:42 PM, Jordan Geoghegan wrote:
>>> Yikes. Everything you are (erroneously) trying to do here can be done
>>> without leaving your pf.conf.
>>>
>>> Remember, KISS.
>>>
>> Is there a way to add an address to a table from within a rule, or
>> something to that effect? I can't see such an option. A la...
>>
>> block in quick on $ext_if to any port ! { $allowed_ports } add-to <badguys>
>>
>>
>> (Otherwise I don't see how the whole show could be completed without
>> logging, monitoring the log, then running pfctl, ie with leaving your
>> pf.conf)
>
> Without wasting too much time on this, the "overload" example from the
> pf.conf man page could be pretty easily adapted to meet the specified needs:
>
> pass in on egress proto tcp to egress port 22 keep state (max-src-conn-rate
> 1/10, overload <bad_host> flush global)
>
> or to copy basically verbatim from the man page, (with only the src-conn-rate
> and port number adjusted):
>
> block quick from <bad_hosts>
> pass in on $ext_if proto tcp to $webserver port ssh keep state \
> (max-src-conn-rate 1/10, overload <bad_hosts> flush global)
>
>
> I havent tested this personally, but it should be adequate.
>
>
>
