On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:
:Hello,
:
:Zombies are often attacking ports which don't have services running,
:such as telnet (most popular indeed....), mysql, 3551, 8080, 13272, etc.
:
:With a default pf block drop in on $ext_if, how can those source ips be
:added to a <scanners> table? Which all can be dropped & small queued.
:
:I've tried to overload a match statement, but that won't work.
:
I've been playing with this, too. Overload won't work until the packet
is processed by a userland process.
:Or is there something handy in ports to help?
:
I don't know of any, but I have such a thing on my TODO.
Annoyingly, that TODO list is too long. If you beat me to it, please
share :).
:Thanks.
:--
:By the time they had diminished from 50 to 8,
:the other dwarves began to suspect "Hungry" ...
: -- Gary Larson, "The Far Side"
:
--
Ed Sullivan will be around as long as someone else has talent.
-- Fred Allen
