| Building The Network You Need With PF, The OpenBSD Packet Filter: BSDCan 2016, Ottawa, Canada, June 8th 2016 | ||
|---|---|---|
| Prev | Next | |
A variation on Turning Away The Brutes:
pass log quick on $ext_if proto tcp to port ssh \
queue (ssh_bulk, ssh_interactive)becomes
pass log quick on $ext_if proto tcp to port ssh \
keep state (max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global) \
queue (ssh_bulk, ssh_interactive)where
queue smallpipe bandwidth 1kb cbq
and
pass inet proto tcp from <bruteforce> to port $tcp_services \
queue smallpipe