Need Help With Basic PF Rules

R

rob34

I have a machine running FreeBSD 7.1 on my home network. It sits behind my router/firewall and the only internet traffic it sees is for ssh. I am new to PF (and firewalls in general) and am trying to write a rule which will simply block any host that tries to connect more than 3 times per minute while allowing all local traffic (192.168.*.*) to pass with no blocking.

I've read various articles and I think I have something close, but it does not block ssh even if I connect 10 times per minute.

Thanks in advance for any help you may be able to provide.



Contents of my pf.conf file:
Code: 
int_if="fxp0"

table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $int_if proto tcp to 192.168.0.0/24 \
    port ssh flags S/SA keep state \
    (max-src-conn 10, max-src-conn-rate 3/60, overload <abusive_hosts> flush)
 
Hi, i would try the follwowing:
Code: 
int_if="fxp0"

table <abusive_hosts> persist
block in quick from <abusive_hosts>


pass proto { tcp, udp } from any to any port ssh \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 3/60, \
        overload <bruteforce> flush global)
pass quick proto { tcp, udp } from 192.168.0.0/24 to any port ssh
 
Thanks- your rule worked. All I had to do was rename the bruteforce table to abusive_hosts to make it work.
 
You must log in or register to reply here.
Back
Top