Evangelos Tsiaplas <[email protected]> writes:
> Hello all, i was recently asked a question on the daemonforums about how to
> block and table port 22 attempts. Basically what i thought would work with
> the following does not seem to be loading the block rule, not certain if
> blocking and tables do not mix.
If what you pasted is your actual config, it won't load. 'create' is not valid.
> table <port22bad> create
> block drop log quick from { <port22bad> }
> block drop log quick on $EXT inet proto tcp from any to port 22 <- works
> fine but would like to add to table port22bad, i tried syntax simliar to "(
> overload <port22bad> flush global)"
Ah, so you want to block access to ssh and then for good measure add
those who try anyway to a table? There is no support for that in the
current PF syntax, sorry. Block rules do not create state.
One possible way to do what you're asking about would be to read the
pflog and extract the IP addresses from there for further processing.
The other option is to go with a pass rule with suitably restrictive
overload criteria.
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
