On 2013-02-08, Martijn van Duren <martijn...@gmail.com> wrote: > On Fri, 2013-02-08 at 08:23 +0000, Stuart Henderson wrote: >> On 2013-02-07, Martijn van Duren <martijn...@gmail.com> wrote: >> > Thanks for all the quick responses, but if I understand you all >> > correctly there is no way to cut off an established connection by adding >> > an ip address to a blocked table, so I'm still left with my two stage >> > drop off the connection (both adding the the ip to the table and killing >> > the connection manually). >> >> Correct because the state table is checked *before* packets run through the >> firewall ruleset. >> > > Correct me if I'm wrong, but isn't that still somewhat dangerous? Say > the next situation: > I have a rule in my firewall that limits ssh connections to 3 every 30 > seconds, if you exceed it your ip address is added to a table that has a > drop quick on it. Now at the same time that same ip-adress is brute > forcing on my ftp-port without building up a new connection between > retries. > When this ip address is automatically added to the blocked table he is > qualified as bad traffic and I'd expect that other traffic to my server > is cut short by then. > > Of course this is only an example of how an ip address could be > automatically added to a table and I don't expect that every method is > capable of also (easily,) automatically destroying an active connection.
Read the part of pf.conf(5) which describes the stateful tracking options that you are using and you can see if this applies to the way you are using them.
