On 10/24/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Rob <[EMAIL PROTECTED]> [2007-10-24 00:05]: > > Note that I wouldn't use a flush global directive for a rule like > > this, because it can lead to a neat DoS where somebody can spoof one > > of your own IP addresses and shut down any ssh sessions you have > > active. > > no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus > making spoofing unfeasible. that info, of course, is in the manpage... > very loud and clear. why don't you check there before spreading fud on > the list?
I was quoting that from memory, specifically from Joachim Schipper's comment on August 9th: "Or maybe not - 'flush' enables an attacker to not only prevent you connecting, but actually to log you out as well." (http://marc.info/?l=openbsd-misc&m=118665539219389&w=2) I managed to miss the follow-up post on the 3-way-handshake. > this doesn't only comply to you, but is completely beyond me. > why dowe invest lots of time and nerves and whatnot in manpages when > people do not read them, and instead guess a bit and then spread shit > because the guess was of course wrong? read the damn manpages! People read the man pages. I would sooner read, re-read, and then study the man pages, then perform background research, experiment, and then write sample code, before asking a question on this list. The guy's question had languished for 2 days. I didn't bother to go back through the 2,079 lines of pf.conf manpage to get the correct answer; my bad. I had five minutes today in which I wasn't catching shit from someone else, so I thought I'd give a best guess and catch some shit here instead. - R.