Peter N. M. Hansteen wrote:
> "Dan Mahoney, System Admin" <[EMAIL PROTECTED]> writes:
>> I've found a few things based on openBSD's pf, but that doesn't seem to be 
>> the default in BSD either.
> Recent BSDs (all of them, FreeBSD 5.n/6.n included) have PF in the base 
> system.
> 'overload' rules are fairly easy to set up, eg 
> table <bruteforce> persist
> #Then somewhere fairly early in your rule set you set up to block from the 
> bruteforcers
> block quick from <bruteforce>
> #And finally, your pass rule.
> pass inet proto tcp from any to $localnet port $tcp_services \
>         flags S/SA keep state \
>       (max-src-conn 100, max-src-conn-rate 15/5, \
>          overload <bruteforce> flush global)
> for more detailed discussion see eg 

The really nice thing about this pf based technique is that it does not
need to scan log files (like most of the other brute force blockers). So
you can use it on a gateway firewall to protect a whole network of
machines behind it.

Although in that case having a whitelist of IPs that are always allowed
to connect would be sensible.



Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP:         Ramsgate
                                                      Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to