Chris Smith wrote:
> But with max-src-conn-rate aren't you actually allowing connections? The
> first I want to do is block connections, not allow them. Will use of
> max-src-conn-rate work with a block? With attempted connections that
> never get allowed?
A "block" rule will just block all connections. That's easy:
block in on $if proto tcp from any to ($if) port ssh
Done. No SSH traffic is gonna get through that, that's fer-damned-
sure. (I'll demonstrate first with my own SSH-scanner rule, that
being what I have at hand to work with. Your requirements will be
covered below.) However, if you want to trigger on something, you
need to use a "pass" rule first, to let those connections in:
pass in on $if proto tcp from any to ($if) port ssh \
EXCEPT for those originating from those thrice-damned SSH spam-scanners
(may their souls be rent with iron claws in the sulfur-pits of Gehenna)
which you want to consign to the Outer Darkness; we discover these after
their fifth (or third, or eighth, or however many-th) connection attempt
in a specified timeframe (here, 30 seconds), which is not "normal"
behavior for SSH:
( max-src-conn-rate 5/30, \
... and when that is triggered, you want to not only add them to the
"Outer Darkness" table, which you block with an earlier rule in pf.conf:
overload <OuterDarknessTable> \
(referencing previous rule:
"block in quick on $if from <OuterDarknessTable> to any")
... you want to flush all states associated with that IP, preventing it
from using a previously-established connection for any nastiness:
flush \
... and you want that to apply to states generated from any rule, to
boot:
global )
Think of that "max-src-conn-rate" as an exception: "Pass these in,
BUT, if the connection meets this criteria (#conns/time), add it to
this table and purge all states containing this address." That is
necessary for the "triggering" behavior of which you speak.
For your purposes, I would *guess* that the following would work:
pass in on $net_if proto tcp from ($internal_net) to (! $mailhost) \
port smtp \
( max-src-conn-rate 1/60, overload <InfectedTable>, \
flush global )
with a corresponding rule:
block in on $net_if from <InfectedTable> to any
That should trigger the first time someone diddles an SMTP port that
doesn't belong to your mailserver (the behavior you're looking for),
chucking the unfortunate host onto a blacklist, which you are
presumably checking on a periodic basis (cronjob perhaps, run once
every minute or five, "pfctl -t InfectedHosts -Tshow" - that should
mail you only if there is output of that command, i.e. if a host has
been added to that table.)
Caveat: these rules will have to be replicated for each internal
network interface you have.
Caveat #2: unless there's one network interface on your pf box for
each host, the host will still be able to send traffic to anything on
its segment. Restated: you will only be able to quarantine your
network on a per-interface basis.
Hope that helps!
--
(c) 2005 Unscathed Haze via Central Plexus <[EMAIL PROTECTED]>
I am Chaos. I am alive, and I tell you that you are Free. -Eris
Big Brother is watching you. Learn to become Invisible.
|-------- Your message must be this wide to ride the Internet. --------|
