On 10/23/07, david l goodrich  wrote:

quoted text
> Nobody?  Sad, it's still doing it.

>

>

> On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:

> > I've set up a max-src-conn-rate rule on my gateway router to

> > mitigate brute-force ssh attacks.  This router protects a /28

> > subnet, 25.108.82.80/28.

> >

> > The relevant rules:

> >

> > # pfctl -sr | grep attack

> > block drop in log quick proto tcp from  to any

> > pass in log proto tcp from any to any port = ssh keep state

> > (source-track rule, max-src-conn-rate 3/30, overload

> >  flush global, src.track 30)

> > #

> >

> > What the three columns of output in the below tcpdump output are:

> > timestamp, rule action, and target host.  As you can tell from

> > the tcpdump command, the sending host is the same in all cases,

> > 208.53.147.204

I'm not a pf newbie by any means, but I'm not really qualified to

answer questions about it either. That said, I don't usually use an

'=' sign in my pf rules, and the pf faq doesn't list that as one of

the accepted operators for the port range

(http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being

parsed correctly, it would cause the behavior you're seeing. Try,
block in log quick proto tcp port ssh keep state \

   (source-track rule, max-src-conn-rate 3 / 30 overload

, src.track 30)
Note that I wouldn't use a flush global directive for a rule like

this, because it can lead to a neat DoS where somebody can spoof one

of your own IP addresses and shut down any ssh sessions you have

active.
Here's a working sample from my own currently active pf file:
pass in on $ext proto tcp to  port smtp keep state \

   (max-src-conn 15 max-src-conn-rate 10 / 45 overload ) \

   queue 6smtp
(FYI, the smtp-overload table moves traffic to a queue that simply

throttles the connections a little.)
- R.