On 14:48, Wed 22 Feb 06, Chris Smith wrote: > In addition to preventing infected PC's from using their own SMTP engine > to send out spam by blocking port 25 from all but the mail server. I > would also like to add those hosts automatically to a table in order to > block their access altogether so that the infected PC's cannot attempt > other damage. How can this be accomplished?
Hi, You can use the max-src-conn-rate for this. I block users who make more then 2 ssh connections in 10 seconds like this: pass in on $ext_if proto tcp from any to any \ port ssh flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 2/10, \ overload <ssh_attack> flush) I guess you could use something like max-src-conn-rate 1/10 Greetz, -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"