From: Peter Fraser (pjfthinkage.ca)
Date: Wed May 31 2006 - 13:54:16 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Right now someone is trying out each IP address I have
with an ssh attack. Only one of those IP addresses is
enabled for ssh. I have a "(max-src-conn-rate 100/10,
overload <bad_guys> flush global)" on that address.

I would like to know how to get pf to note these
other atempts and block the sender. To me the obvious
would be

block in on Outsize proto tcp port ssh flags S/SA
 state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)

This does not work. One gets a message that keeping state on
a blocked run makes no sense.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]