* Rob <robsheldon@gmail.com> [2007-10-24 00:05]:
quoted text
> I'm not a pf newbie by any means, but I'm not really qualified to
> answer questions about it either. That said, I don't usually use an
> '=' sign in my pf rules, and the pf faq doesn't list that as one of
> the accepted operators for the port range

well, it is valid. the parser is morepermissive than what we document.

quoted text
> (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being
> parsed correctly, it would cause the behavior you're seeing. Try,

hell no! if the rule can't be parsed correctly, pfctl throws an error 
of course!

quoted text
> block in log quick proto tcp port ssh keep state \
>    (source-track rule, max-src-conn-rate 3 / 30 overload
> <sshd_attackers>, src.track 30)
> 
> Note that I wouldn't use a flush global directive for a rule like
> this, because it can lead to a neat DoS where somebody can spoof one
> of your own IP addresses and shut down any ssh sessions you have
> active.

no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus 
making spoofing unfeasible. that info, of course, is in the manpage... 
very loud and clear. why don't you check there before spreading fud on 
the list? this doesn't only comply to you, but is completely beyond me. 
why dowe invest lots of time and nerves and whatnot in manpages when 
people do not read them, and instead guess a bit and then spread shit 
because the guess was of course wrong? read the damn manpages!

-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam