I am considering a pf rule like this:
But I am not sure if allowing ssh connections only from a whitelist (ssh_clients) will still allow for the brute forcers table (unwelcome_guests) to be populated. My vague suspicion is that since the rule will ignore those requests anyway, it might not get so far as overloading them into the table. Or will it? I guess it boils down to how pf actually executes rules...
And if it won't, how can I do both - accept connections "from" only a predetermined table, and also add bruteforcers into the corresponding table? Does it make sense to do both?
Lastly: which is more efficient - blacklisting or whitelisting? Or a combination of both?
Code:
pass in on $ext_if inet proto tcp
from <ssh_clients>
to ($ext_if) port $myssh keep state
(max-src-conn 9, max-src-conn-rate 2/5,
overload <blocked_guests> flush global)
But I am not sure if allowing ssh connections only from a whitelist (ssh_clients) will still allow for the brute forcers table (unwelcome_guests) to be populated. My vague suspicion is that since the rule will ignore those requests anyway, it might not get so far as overloading them into the table. Or will it? I guess it boils down to how pf actually executes rules...
And if it won't, how can I do both - accept connections "from" only a predetermined table, and also add bruteforcers into the corresponding table? Does it make sense to do both?
Lastly: which is more efficient - blacklisting or whitelisting? Or a combination of both?