PF PF & max-src-conn-rate

[Mayhem30]

I'm not sure if I am understanding the configuration correctly.

pass in log on $EXT_IF inet proto tcp from any to $SERVER port $SSH \
        flags S/SA keep state \
        (max-src-conn-rate 3/6, overload <blacklist> flush global)

I was under the impression that 3 connections within 6 seconds would ban the user. However, it takes much more before the ban kicks in ...

Oct 13 11:54:37 localhost postfix/smtpd[44936]: connect from telnet-online.net[176.9.8.180]
Oct 13 11:54:40 localhost postfix/smtpd[44936]: connect from telnet-online.net[176.9.8.180]
Oct 13 11:54:42 localhost postfix/smtpd[44931]: connect from telnet-online.net[176.9.8.180]
Oct 13 11:54:44 localhost postfix/smtpd[44936]: connect from telnet-online.net[176.9.8.180]
Oct 13 11:54:45 localhost postfix/smtpd[44931]: connect from telnet-online.net[176.9.8.180]
Oct 13 11:54:47 localhost postfix/smtpd[44936]: connect from telnet-online.net[176.9.8.180]

Why does it take 6 attempts in 7 seconds before the rate limit triggers?

 

[SirDice]

The first three connections probably took a little more than 6 seconds, it triggered on the second batch of three connections (3 in ~3 seconds).

 

[jsika]

Please does anybody know how to limit ping?

I have the following rule, but it seems to ignore the limits, even if I set extremely low numbers, it pings anyway:

###### ICMP ######
icmp_types = "{ echoreq, unreach }"
pass quick inet proto icmp all icmp-type $icmp_types keep state \
(max-src-conn 3, max-src-conn-rate 12/30, \
overload <bruteforce> flush global)

# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state