On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote: >>> Check your pflog. The ruleset itself seems fine (if it is complete and you >>> did not forget to post >>> a vital part). We also can assume that pf is enabled, can we? >> >> What should I be looking for in pflog? I can't find anything ssh related. I >> posted full ruleset too. > [...] >> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat $log|tcpdump -r - >> port ssh ; done >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) > > Well... > >> block drop in quick from <abusive_hosts> to any >> pass quick inet proto tcp from any to 38.X.X.X port = ssh flags S/SA keep >> state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, overload >> <abusive_hosts> flush global, src.track 60) > > "block drop in quick log..." and "pass quick inet proto log" might be useful. > BTW, what version of FreeBSD are you using? The machine isn't multi-homed, is > it?
8.1-RELEASE-p1, just one external interface. I will add "log" to "pass ssh", but what would I "block drop in quick" though? Vadym _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
