Ray Lai wrote:
I thought you meant you could do something like:
block in log-table <zombie> to port 25
where <zombie> is updated automatically.
If you read on the PF and look at what I send you, you will see that
<bad-ssh> IS updated automatically.
That's what the line:
(max-src-conn-rate 5/30, overload <bad_ssh> flush global)
does. After 5 connection in 30 seconds, the IP address is put
automatically into the table <bad_ssh> and flush global remove any state
in the PF table.
Just adjust the max-src-conn-rate 5/30 for what you want.
Hope this make it more clear.
