On Thu, Aug 09, 2007 at 10:29:19AM -0700, David Newman wrote:
Yes.
No, more along the lines of
pass in log quick on $unpro inet proto tcp \
to port ssh keep state $SSH_LIMIT
(Note that 'flags S/SA' and 'keep state' are the default in 4.1 and
later, but 'keep state' must be explicitly given for $SSH_LIMIT -
'(max-src-conn-rate 3/30, overload <scanners>)' - to be legal.)
Or, if you want to add ! $unpro:network,
pass in log quick on $unpro inet proto tcp \
from ! $unpro:network to port ssh keep state $SSH_LIMIT
where my $SSH_LIMIT is different from yours, missing 'flush global'.
All of this looks a lot like IPTables-in-pf, though [1]. And only works
because you have a 'default allow' policy (the above rule does not match
on traffic from the local network, but with a 'default deny' policy this
would mean you would be unable to ssh from the local network at all.
Which is not what you want.) The way I'd write this rule would be
pass in on $unpro inet proto tcp to port ssh \
keep state (max-src-conn-rate 3/30, overload <scanners>)
pass in on $unpro inet proto tcp from $unpro:network to port ssh
which a) works with a 'default deny' policy, should you ever implement
one, and b) also avoid defining a macro that's only used once and does
not necessarily clarify matters.
Joachim
[1] I should know, I spent half the day writing pf-in-IPTables. Debian
is fine, for some values of fine, for webservers, but firewalls... well,
just note there's no MoTD below.
--
It can be difficult to translate into iptables the artistic intent of a
pf rule that says "pass out quick on $cheap_gin"
-- Anthony de Boer, in ASR
