Hi Jordan
I've set it up to try it, but I'm not having much luck. Even when I
trigger more than one, it still doesn't populate the bad_hosts table,
even again when I extend the rate period to 86400 seconds. I've added
logging so I know the rule is triggering. See below.
git# tcpdump -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
08:50:41.100611 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 <mss
1460,nop,wscale 2,nop,nop,sackOK> (DF)
08:50:41.630593 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 <mss
1460,nop,wscale 2,nop,nop,sackOK> (DF)
08:50:42.155612 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 <mss
1460,nop,nop,sackOK> (DF)
08:50:43.496590 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 <mss
1460,nop,wscale 2,nop,nop,sackOK> (DF)
08:50:44.038541 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 <mss
1460,nop,wscale 2,nop,nop,sackOK> (DF)
08:50:44.571563 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 <mss
1460,nop,nop,sackOK> (DF)
08:50:46.879666 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 <mss
1460,nop,wscale 2,nop,nop,sackOK> (DF)
08:50:47.408720 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 <mss
1460,nop,wscale 2,nop,nop,sackOK> (DF)
08:50:47.938650 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 <mss
1460,nop,nop,sackOK> (DF)
^C
9 packets received by filter
0 packets dropped by kernel
git# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
ext_if=vio0
ext_ip=111.222.33.44
set skip on lo
block return # block stateless traffic
pass # establish keep-state
block quick from <bad_hosts>
pass in log on $ext_if proto tcp to $ext_ip port telnet keep state
(max-src-conn-rate 1/86400, overload <bad_hosts> flush global)
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
git#
On Wed, Jan 9, 2019 at 1:30 PM Jordan Geoghegan <jgeoghega...@gmail.com> wrote:
>
>
>
> On 01/08/19 18:08, tomr wrote:
> >
> > On 1/9/19 12:42 PM, Jordan Geoghegan wrote:
> >> Yikes. Everything you are (erroneously) trying to do here can be done
> >> without leaving your pf.conf.
> >>
> >> Remember, KISS.
> >>
> > Is there a way to add an address to a table from within a rule, or
> > something to that effect? I can't see such an option. A la...
> >
> > block in quick on $ext_if to any port ! { $allowed_ports } add-to <badguys>
> >
> >
> > (Otherwise I don't see how the whole show could be completed without
> > logging, monitoring the log, then running pfctl, ie with leaving your
> > pf.conf)
>
> Without wasting too much time on this, the "overload" example from the
> pf.conf man page could be pretty easily adapted to meet the specified needs:
>
> pass in on egress proto tcp to egress port 22 keep state
> (max-src-conn-rate 1/10, overload <bad_host> flush global)
>
> or to copy basically verbatim from the man page, (with only the
> src-conn-rate and port number adjusted):
>
> block quick from <bad_hosts>
> pass in on $ext_if proto tcp to $webserver port ssh keep state \
> (max-src-conn-rate 1/10, overload <bad_hosts> flush global)
>
>
> I havent tested this personally, but it should be adequate.
>
>
>
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
