* Rob <[EMAIL PROTECTED]> [2007-10-24 00:05]: > I'm not a pf newbie by any means, but I'm not really qualified to > answer questions about it either. That said, I don't usually use an > '=' sign in my pf rules, and the pf faq doesn't list that as one of > the accepted operators for the port range
well, it is valid. the parser is morepermissive than what we document. > (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being > parsed correctly, it would cause the behavior you're seeing. Try, hell no! if the rule can't be parsed correctly, pfctl throws an error of course! > block in log quick proto tcp port ssh keep state \ > (source-track rule, max-src-conn-rate 3 / 30 overload > <sshd_attackers>, src.track 30) > > Note that I wouldn't use a flush global directive for a rule like > this, because it can lead to a neat DoS where somebody can spoof one > of your own IP addresses and shut down any ssh sessions you have > active. no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus making spoofing unfeasible. that info, of course, is in the manpage... very loud and clear. why don't you check there before spreading fud on the list? this doesn't only comply to you, but is completely beyond me. why dowe invest lots of time and nerves and whatnot in manpages when people do not read them, and instead guess a bit and then spread shit because the guess was of course wrong? read the damn manpages! -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
