Claer <[EMAIL PROTECTED]> writes: > I always hesitate to use this trick. Could you please develop more the > implications of this method? Is it still effective?
Yes, it's still effective. You need to put in whatever values you feel are appropriate for your network and users. In Lars' example, > pass in on $ext_if proto tcp to ($ext_if) port ssh > flags S/SA keep state (max-src-conn 4, \ > max-src-conn-rate 2/60, overload <bruteforce> \ > flush global) any host with more than 4 simultaneous ssh connections OR that connects more than twice during any 60-second period has all their existing connections terminated, their address put into the bruteforce table and their address no longer matches the criteria for the pass rule. Those values are low enough that you might risk tripping up legitimate connections if there are enough users coming in from behind a NATing gateway, but that scenario may not be relevant for your case. What happens to connections from addresses in the bruteforce table is up to you, but I suspect a rule involving 'block quick' is very common. And yes, it's in the tutorial[1] and covered in that little book of mine[2]. - Peter [1] http://home.nuug.no/~peter/pf/en/bruteforce.html goes right to this topic, http://home.nuug.no/~peter/pf/ for a choice of formats [2] http://nostarch.com/pf.htm -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
