But what benefit do you expect to get when you block it via a max-src-conn-rate/overload rule or directly via a (default) block rule? In either way you will block the packet.
On Fri, 2008-02-29 at 16:49 -0300, Vinicius Vianna wrote: > The problem is that these attacks aren't on any pass rule, they are on > ports that my firewall doesn't permit, so the packet will go to the > block rule, and i can't use these overload rules with block can I? > > Lars NoodC)n wrote: > > Vinicius Vianna wrote: > > > >> I got a firewall with openbsd 4.1 and pf and it's receiving a lot of > >> syn floods attacks and even udp floods,... > > pass in on $ext_if proto tcp to ($ext_if) port ssh \ > > flags S/SA keep state \ > > (max-src-conn 3, max-src-conn-rate 3/60, overload \ > > <ssh-bruteforce> flush global) \ > > label BLOCKBRUTES > > > > Regards, > > -Lars
