Hi Jordan I've set it up to try it, but I'm not having much luck. Even when I trigger more than one, it still doesn't populate the bad_hosts table, even again when I extend the rate period to 86400 seconds. I've added logging so I know the rule is triggering. See below.
git# tcpdump -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 08:50:41.100611 111-222-33-45.dyn.isp.net.au.49643 > git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) 08:50:41.630593 111-222-33-45.dyn.isp.net.au.49643 > git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) 08:50:42.155612 111-222-33-45.dyn.isp.net.au.49643 > git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 08:50:43.496590 111-222-33-45.dyn.isp.net.au.49649 > git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) 08:50:44.038541 111-222-33-45.dyn.isp.net.au.49649 > git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) 08:50:44.571563 111-222-33-45.dyn.isp.net.au.49649 > git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 08:50:46.879666 111-222-33-45.dyn.isp.net.au.49660 > git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) 08:50:47.408720 111-222-33-45.dyn.isp.net.au.49660 > git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) 08:50:47.938650 111-222-33-45.dyn.isp.net.au.49660 > git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) ^C 9 packets received by filter 0 packets dropped by kernel git# cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf ext_if=vio0 ext_ip=111.222.33.44 set skip on lo block return # block stateless traffic pass # establish keep-state block quick from <bad_hosts> pass in log on $ext_if proto tcp to $ext_ip port telnet keep state (max-src-conn-rate 1/86400, overload <bad_hosts> flush global) # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild git# On Wed, Jan 9, 2019 at 1:30 PM Jordan Geoghegan <jgeoghega...@gmail.com> wrote: > > > > On 01/08/19 18:08, tomr wrote: > > > > On 1/9/19 12:42 PM, Jordan Geoghegan wrote: > >> Yikes. Everything you are (erroneously) trying to do here can be done > >> without leaving your pf.conf. > >> > >> Remember, KISS. > >> > > Is there a way to add an address to a table from within a rule, or > > something to that effect? I can't see such an option. A la... > > > > block in quick on $ext_if to any port ! { $allowed_ports } add-to <badguys> > > > > > > (Otherwise I don't see how the whole show could be completed without > > logging, monitoring the log, then running pfctl, ie with leaving your > > pf.conf) > > Without wasting too much time on this, the "overload" example from the > pf.conf man page could be pretty easily adapted to meet the specified needs: > > pass in on egress proto tcp to egress port 22 keep state > (max-src-conn-rate 1/10, overload <bad_host> flush global) > > or to copy basically verbatim from the man page, (with only the > src-conn-rate and port number adjusted): > > block quick from <bad_hosts> > pass in on $ext_if proto tcp to $webserver port ssh keep state \ > (max-src-conn-rate 1/10, overload <bad_hosts> flush global) > > > I havent tested this personally, but it should be adequate. > > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse