* Rob  [2007-10-24 00:05]:

quoted text
> I'm not a pf newbie by any means, but I'm not really qualified to

> answer questions about it either. That said, I don't usually use an

> '=' sign in my pf rules, and the pf faq doesn't list that as one of

> the accepted operators for the port range

well, it is valid. the parser is morepermissive than what we document.
> (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being

quoted text
> parsed correctly, it would cause the behavior you're seeing. Try,

hell no! if the rule can't be parsed correctly, pfctl throws an error

of course!
> block in log quick proto tcp port ssh keep state \

quoted text
>    (source-track rule, max-src-conn-rate 3 / 30 overload

> , src.track 30)

>

> Note that I wouldn't use a flush global directive for a rule like

> this, because it can lead to a neat DoS where somebody can spoof one

> of your own IP addresses and shut down any ssh sessions you have

> active.

no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus

making spoofing unfeasible. that info, of course, is in the manpage...

very loud and clear. why don't you check there before spreading fud on

the list? this doesn't only comply to you, but is completely beyond me.

why dowe invest lots of time and nerves and whatnot in manpages when

people do not read them, and instead guess a bit and then spread shit

because the guess was of course wrong? read the damn manpages!
--

Henning Brauer, hb@bsws.de, henning@openbsd.org

BS Web Services, http://bsws.de

Full-Service ISP - Secure Hosting, Mail and DNS Services

Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam