On 2021-10-07, Barbaros Bilek <barbarosb...@gmail.com> wrote: > Hello misc, > > I try to block port scanning attempts with OpenBSD 6.9/amd64 + PF. > At the top of my pf.conf i've added these lines but it didn't work. > > block in quick proto tcp all flags SF/SFRA label bps1 > block in quick proto tcp all flags FPU/SFRAUP label bps3 > block in quick proto tcp all flags /SFRA label bps4 > block in quick proto tcp all flags F/SFRA label bps5 > block in quick proto tcp all flags U/SFRAU label bps6
Why not just "block in quick proto tcp all"? Or are you trying to keep some ports open? If you do that, then the host can be scanned by some method or other, if you allow connections then there's no passive method to block, instead you need to detect the scan and block the origin (and that can be worked around too, by scanning from multiple source addresses, but it's harder). -- Please keep replies on the mailing list.
