I could use some help with a
This works for ssh connections:
This does exactly what I would expect it do do: when a source IP sends more than 3 requests over TCP/22 in 1 second, the IP gets added to <bruteforce>, the connection drops and the source IP can't make new connections. But something similar for ICMP (echoreq) just won't work:
1/10 (1 per 10 seconds) should be a pretty aggressive setting, but even when sending 100 ping requests in 1 second, they all just get answered without getting blocked. The source IP for some reason doesn't get added to the <blacklistping> table.
Anyone any idea what I'm doing wrong? Thanks in advance for any help!
pf
firewall I can't get to work. For some reason, ping/icmp won't get blocked by overload.This works for ssh connections:
Code:
table <bruteforce> persist
block drop in log quick on $ext_if inet proto tcp from <bruteforce> port 22
pass in log on $ext_if inet proto tcp to port 22 keep state (max-src-conn 15, max-src-conn-rate 3/1, overload <bruteforce> flush global)
This does exactly what I would expect it do do: when a source IP sends more than 3 requests over TCP/22 in 1 second, the IP gets added to <bruteforce>, the connection drops and the source IP can't make new connections. But something similar for ICMP (echoreq) just won't work:
Code:
table <blacklistping> persist
block drop in log quick on $ext_if from <blacklistping>
pass in log on $ext_if inet proto icmp icmp-type { echoreq unreach } keep state (max-src-conn 3, max-src-conn-rate 1/10, overload <blacklistping> flush global)
1/10 (1 per 10 seconds) should be a pretty aggressive setting, but even when sending 100 ping requests in 1 second, they all just get answered without getting blocked. The source IP for some reason doesn't get added to the <blacklistping> table.
Anyone any idea what I'm doing wrong? Thanks in advance for any help!