You could try use some example rulesets that stops alot of scans:
# Block bad tcp flags from malicious people and nmap scans
block in log quick on $ext_if proto tcp from any to any flags /S
block in log quick on $ext_if proto tcp from any to any flags /SFRA
block in log quick on $ext_if proto
# Block bad tcp flags from malicious people and nmap scans
block in log quick on $ext_if proto tcp from any to any flags /S
block in log quick on $ext_if proto tcp from any to any flags /SFRA
block in log quick on $ext_if proto tcp from any to any flags /SFRAU
block in log quick on $ext_if
Hello,
I have a simple firewall set up with OpenBSD 3.9 and have been playing
around with logging ssh login attempts to my DMZ server and banishing
IPs using max-src-conn -rate ...
block quick from banish
pass in log quick on $ext_if proto tcp from any to $dmz_ip port = ssh
flags S/SA
synproxy
On Mon, Jun 26, 2006 at 07:45:07PM -0700, nobiscuit wrote:
I gather it is possible to add IP addresses to a table using pfctl run
with a cron job based on what has been logged from pf. However, this
cron job would have to be run frequently to be any more effective than
the banish rule listed
On 6/27/06, Darrin Chandler [EMAIL PROTECTED] wrote:
I've been through the documentaion and this mailing list. Is there
another way to add IP addresses to a table directly using a rule in
pf.conf? I can see the little bastards coming and I'd like to cut them
off as quickly as possible.
On Tue, Jun 27, 2006 at 02:38:06PM -0500, Travis H. wrote:
There's some discussion there as to the wisdom of this, since scans
are trivially spoofed, it could lead to a DoS.
I'm usually on the side against blocking. My reasons, more or less in
order:
* It wastes time and resources
* Possible