On 3/12/2021 12:25 AM, Max wrote:
> You can use overload option.
> "With the overload <table> state option, source IP addresses which hit
> either of the limits on established connections will be added to the
> named table."
>
> pass out log quick on $if_lan inet proto tcp to $rdp_int port rdp keep
> state \
> (max-src-conn-rate 15/86400, overload <rdp-bruteforce> flush global)
>
Thanks, this might give me the answer in a round about way! But I am
curious as to when the I would actually see reason src-limit. According
to the RELENG_12 man pages,
reason match Reason equals match. Also accepts "bad-offset", "frag-
ment", "bad-timestamp", "short", "normalize", "memory",
"congestion", "ip-option", "proto-cksum", "state-mis-
match", "state-insert", "state-limit", "src-limit", and
"synproxy".
but I never see state or src limit as a reason. The reason is always a
match.
---Mike
> # pfctl -t rdp-bruteforce -vTs
> 222.214.161.232
> Cleared: Thu Mar 4 08:09:50 2021
>
> According to
> https://www.freebsd.org/cgi/man.cgi?query=pcap-filter&sektion=7
> reason code
> True if the packet was logged with the specified PF reason
> code.
> The known codes are: match, bad-offset, fragment, short,
> normal-
> ize, and memory (applies only to packets logged by
> OpenBSD's or
> FreeBSD's pf(4)).
>
> 11.03.2021 22:17, mike tancsa пишет:
>> I am trying to track down the IPs that are hitting my src limits, but I
>> dont seem them logged. According to
>>
>> https://www.freebsd.org/cgi/man.cgi?query=pflogd&sektion=8
>>
>> I should be able to see the reason something got blocked
>>
>> e.g. if I have something like
>>
>>
>> pass in log on $outside_nic proto tcp from any to $http_server port 80
>> keep state (max 25 max-src-conn-rate 2/60)
>>
>> How would I find the IP that is tripping up the max state rule or
>> max-src-conn-rate ?
>>
>> Looking at
>>
>> pfctl -sinfo -v
>>
>> Limit Counters
>> max states per rule 293319 0.2/s
>> max-src-states 0 0.0/s
>> max-src-nodes 0 0.0/s
>> max-src-conn 0 0.0/s
>> max-src-conn-rate 10273 0.0/s
>> overload table insertion 0 0.0/s
>> overload flush states 0 0.0/s
>>
>> The counters are increasing, but I never see it in pflog
>>
>> tcpdump -tttt -nei pflog0 -s0 reason state-limit or reason src-limit
>>
>> ---Mike
>>
>> _______________________________________________
>> freebsd-pf@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
>
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
