Re: log reason when a packet causes pf to add an IP to a table ?

[Klemens Nanni]

On Mon, Jun 28, 2021 at 06:38:21PM +0200, Matthieu Herrb wrote:
> I have rules like this one on the firewalls I manage:
> 
> pass in on $in_if proto tcp from any to  port ssh \
> flags S/SA keep state \
> (source-track rule, max-src-states 30, max-src-conn 20, \
>   max-src-conn-rate 15/30, overload  flush
> global)
> 
> block log from 
> 
> However some legitimate remote users get their addresses added to the
> ssh-bruteforce table from time to time.
> 
> I'd like to be able to figure out the reason (ie which condtion
> triggers the overload). Is there a way to have it logged somewhere
> that I'm missing ?

`set debug notice' should syslog(3) addresses being overloaded in the
first place, but I'm fairly certain there is currently no way to get
more than that.

log reason when a packet causes pf to add an IP to a table ?

[Matthieu Herrb]

Hi

I have rules like this one on the firewalls I manage:

pass in on $in_if proto tcp from any to  port ssh \
flags S/SA keep state \
(source-track rule, max-src-states 30, max-src-conn 20, \
max-src-conn-rate 15/30, overload  flush
global)

block log from 

However some legitimate remote users get their addresses added to the
ssh-bruteforce table from time to time.

I'd like to be able to figure out the reason (ie which condtion
triggers the overload). Is there a way to have it logged somewhere
that I'm missing ?

Thanks in avance,
-- 
Matthieu Herrb