Question about pf

hi, 

i read some of the pf.conf man page and i found something
really neat for my 
servers. It's not 100% what i need but very close and i was
hoping you pf 
gurus could help me out with this one.



I have created the following rules and i have 2 small
problems.

table <badhosts> {} persist
block quick     on $ext_if proto tcp from <badhosts>
to $external_addr port 23 

pass in on $ext_if proto tcp to $external_addr port 23 flags
S/SA modulate      
state (max-src-conn-rate 5/60, overload <badhosts>
flush global)


1. I wanted to do is make sure the ip's get unbanned after
let's say 30 
minutes or so.

2. When my ip gets into badhosts, most of my current ssh
connections hang.
it's kinda strange since my block rule is specific on the
telnet port.


any ideas/comments

Thanks
Charles
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On 11/28/06, Charles Lacroix <clacroixcegep-ste-foy.qc.ca> wrote:
> table <badhosts> {} persist
> block quick     on $ext_if proto tcp from
<badhosts> to $external_addr port 23
> pass in on $ext_if proto tcp to $external_addr port 23
flags S/SA modulate 
> state (max-src-conn-rate 5/60, overload
<badhosts> flush global)
>
> 1. I wanted to do is make sure the ip's get unbanned
after let's say 30
> minutes or so.

You need an external utility, http://expiretable.fnord
.se/ is one I've
looked at, there are a couple other similar ones.

> 2. When my ip gets into badhosts, most of my current
ssh connections hang.
> it's kinda strange since my block rule is specific on
the telnet port.

That's exactly what you've asked pf to do with "flush
global"

-- 
Jon
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

"Jon Simola" <jsimolagmail.com> writes:

> You need an external utility, http://expiretable.fnord
.se/ is one I've
> looked at, there are a couple other similar ones.

expiretable is in ports too, as
/usr/ports/security/expiretable

<plug type="shameless> 
there's a nice walkthrough of this in my tutorial, see
http://home.nuug.no/~p
eter/pf/ or http
://home.nuug.no/~peter/pf/en/bruteforce.html 
for this specific topic
</plug>
-- 
Peter N. M. Hansteen, member of the first RFC 1149
implementation team
http://www.blug.lin
ux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard,
"Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected
after 36099 seconds
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

Great, i installed it and went to your "pseudo html
type/shameless" and it's 
exacly what i wanted to do. I'm testing it out this week and
next week if 
everything is working like expected i will push this into
production.

Thanks alot for quick answer.

Charles

On Wednesday 29 November 2006 07:42, Peter N. M. Hansteen
wrote:
> "Jon Simola" <jsimolagmail.com> writes:
> > You need an external utility, http://expiretable.fnord
.se/ is one I've
> > looked at, there are a couple other similar ones.
>
> expiretable is in ports too, as
/usr/ports/security/expiretable
>
> <plug type="shameless>
> there's a nice walkthrough of this in my tutorial, see
> http://home.nuug.no/~p
eter/pf/ or
> http
://home.nuug.no/~peter/pf/en/bruteforce.html for this
specific topic
> </plug>
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"