On 10/24/07, Henning Brauer  wrote:

quoted text
> * Rob  [2007-10-24 00:05]:

> > Note that I wouldn't use a flush global directive for a rule like

> > this, because it can lead to a neat DoS where somebody can spoof one

> > of your own IP addresses and shut down any ssh sessions you have

> > active.

>

> no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus

> making spoofing unfeasible. that info, of course, is in the manpage...

> very loud and clear. why don't you check there before spreading fud on

> the list?

I was quoting that from memory, specifically from Joachim Schipper's

comment on August 9th: "Or maybe not - 'flush' enables an attacker to

not only prevent you connecting, but actually to log you out as well."

(http://marc.info/?l=openbsd-misc&m=118665539219389&w=2)
I managed to miss the follow-up post on the 3-way-handshake.
> this doesn't only comply to you, but is completely beyond me.

quoted text
> why dowe invest lots of time and nerves and whatnot in manpages when

> people do not read them, and instead guess a bit and then spread shit

> because the guess was of course wrong? read the damn manpages!

People read the man pages. I would sooner read, re-read, and then

study the man pages, then perform background research, experiment, and

then write sample code, before asking a question on this list.
The guy's question had languished for 2 days. I didn't bother to go

back through the 2,079 lines of pf.conf manpage to get the correct

answer; my bad. I had five minutes today in which I wasn't catching

shit from someone else, so I thought I'd give a best guess and catch

some shit here instead.
- R.