On 2/8/11 11:06 PM, Vadym Chepkov wrote: > > On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote: > >> On 2/8/2011 1:11 PM, Vadym Chepkov wrote: >>> Hi, >>> >>> Could somebody help in figuring out why PF configuration meant to prevent >>> brutal SSH attacks doesn't work. >>> >>> Here are the relevant parts: >>> >>> /etc/ssh/sshd_config >>> >>> PasswordAuthentication no >>> MaxAuthTries 1 >>> >>> /etc/pf.conf >>> >>> block in log on $wan_if >>> >>> table <abusive_hosts> persist >>> block drop in quick from <abusive_hosts> >>> >>> pass quick proto tcp to $wan_if port ssh keep state \ >>> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush >>> global) >> >> >> On RELENG_7 and 8 I use something like that. Is there a different IP >> they might be connecting to that is not covered under $wan_if? >> > > That would mean this rule doesn't work: > > block in log on $wan_if > >
No it wouldn't. Your "block in log on $wan_if" rule is not quick, which means the ruleset evaluation continues. If another rule further down matches (the pass in quick for instance) then it is applied instead. normal rules: last match is applied to the packet quick rules: first match is applied and ruleset evaluation ends On a side note, I think you are under no obligation to add the "keep state" bit to the rule. Rules default to "keep state flags S/SA". _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
