Is it possible that I could do something like a better sorting using Tables and PF?
I mean overload is a great function but if I use it for serval Ports I've (as far as I know) to use multiple Tables if I wanna know who e.g. does SSH-Brute-Forces or who does HTTP-CGI-Scanning and such crap. In fact I use "overload" to prevent such things because they rely on a fast connection and no SSH-bruteforce-Application supports throtteling (e.g. just 3 attemps in 5 seconds) as far as I know. Would it be possible to specify e.g. a Table like "badguys.ssh" where .ssh means a "subclass" for this table? So I could use one Table (badguys) to block all the unwanted connections but I could e.g. use pfctl to see exactly who e.g. got in that table because of ssh-Bruteforce-Attemps (badguys.ssh). As I said: For now I would have to create multiple Tables and add the count of every tables to the others to know how many hosts (at all) got blocked. This would be interesting for analyse-purpose only so I would like to know your oppinion about this. Today a script has to count all entries (wich works too) but maybe this idea isn't that bad and could get a place with (very) low priority at the developer-list? Kind regards, Sebastian
