Hello Peter, I think you suggest me some work around like max-src-conn-rate, right?
On Sat, Oct 9, 2021 at 5:07 PM Peter Nicolai Mathias Hansteen < pe...@bsdly.net> wrote: > > > > 7. okt. 2021 kl. 15:58 skrev Barbaros Bilek <barbarosb...@gmail.com>: > > > > Hello misc, > > > > I try to block port scanning attempts with OpenBSD 6.9/amd64 + PF. > > At the top of my pf.conf i've added these lines but it didn't work. > > > > block in quick proto tcp all flags SF/SFRA label bps1 > > block in quick proto tcp all flags FPU/SFRAUP label bps3 > > block in quick proto tcp all flags /SFRA label bps4 > > block in quick proto tcp all flags F/SFRA label bps5 > > block in quick proto tcp all flags U/SFRAU label bps6 > > I personally find rules that specific to be too much work to even decipher. > > What is it you are trying to achieve here? > > If you want specifically to detect port scans, I have a hunch you would be > better off constructing something out of state tracking options and > overload tables. > > That said, I have tended to generally recommend to start off your rules > with a «block" (which will expand to "block drop all"), then fill in the > ruleset with pass rules and whatever else you need that will let the > traffic you want to allow to pass. > > If you search the net with the obvious keywords you will find quite a few > examples that can be quite instructive (including some of my own screeds at > the first URL in my .signature). > > All the best, > Peter N. M. Hansteen > > — > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > > >
