Hi there, We'd like to use pf to catch -- and block -- Windows hosts that we believe have been compromised. One common thing they do is generate a lot of ICMP traffic, probably some nachi-type DoS flood tool.
It seems that max-src-conn-rate, and its friend, overload, only seem to work with TCP, and the pf.conf docs seem to agree. Is there any way we can have a machine, which generates a high amount of ICMP traffic, be snarfed into some overload table so we can give them a "please call us" http forced response? Thanks, --Jim
