Peter N. M. Hansteen wrote: > Claer <[EMAIL PROTECTED]> writes: > >> I always hesitate to use this trick. Could you please develop more the >> implications of this method? Is it still effective? > > Yes, it's still effective. You need to put in whatever values you > feel are appropriate for your network and users. In Lars' example, > >> pass in on $ext_if proto tcp to ($ext_if) port ssh >> flags S/SA keep state (max-src-conn 4, \ >> max-src-conn-rate 2/60, overload <bruteforce> \ >> flush global)
Actually, it's originally your example ;) since I got it from the copy of your tutorial that I printed and bound this autumn. It's been invaluable. I have your book on order via work since a while back and have been looking forward to it. > ... Those values are low enough that you might risk tripping up > legitimate connections if there are enough users ... I had higher for a while but have adjusted them downwards several times. Regarding NAT, FUNET apparently has complete IPv6 support and I'm waiting on info from Sonera. > - Peter > > [1] http://home.nuug.no/~peter/pf/en/bruteforce.html goes right to > this topic, http://home.nuug.no/~peter/pf/ for a choice of formats > > [2] http://nostarch.com/pf.htm BTW the 2008 NORDUnet conference will be in Espoo: http://www.nordu.net/conference/ndn2008web/home.html It would be a good context to promote your book, PF, and OpenBSD. Regards, -Lars
