It would be nice if you cold do something like:
block in on $ext_if proto {tcp, udp} from any to any port 135:139
overload <infected> flush global
Michiel van Baak wrote:
> On 14:48, Wed 22 Feb 06, Chris Smith wrote:
>> In addition to preventing infected PC's from using their own SMTP engine
>> to send out spam by blocking port 25 from all but the mail server. I
>> would also like to add those hosts automatically to a table in order to
>> block their access altogether so that the infected PC's cannot attempt
>> other damage. How can this be accomplished?
>
> Hi,
>
> You can use the max-src-conn-rate for this.
> I block users who make more then 2 ssh connections in 10
> seconds like this:
>
> pass in on $ext_if proto tcp from any to any \
> port ssh flags S/SA keep state \
> (max-src-conn 10, max-src-conn-rate 2/10, \
> overload <ssh_attack> flush)
>
> I guess you could use something like max-src-conn-rate 1/10
>
> Greetz,
>
