Date: Fri, 15 Jun 2012 13:12:41 -0400 From: Paul Mather <paul@gromit.dlib.vt.edu> To: prabhpal@digital-infotech.net Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks Message-ID: <1CAF986C-46CC-4D8D-B18F-A208796483EF@gromit.dlib.vt.edu> In-Reply-To: <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> <4FDB6490.8080509@infracaninophile.co.uk> <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 15, 2012, at 12:55 PM, Shiv. Nath wrote: > # START > table bruteforce persist > block in log quick from bruteforce >=20 > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload bruteforce flush global) >=20 > # END >=20 > AND CRON: > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 = >/dev/null > 2>&1 >=20 > What is the function "expire 604800" are they entries in the table? > should it be -t bruteforce or -t ssh-bruteforce It refers to entries in the table specified by the "-t" option and = instructs pf to expire (remove from the table) all entries older than = the specified time (in seconds). Basically, the value 604800 will = expire entries older than 1 week. For the above pf rules, the cron entry should be "-t bruteforce" = (although in the pf rules you should be using "<bruteforce>"). Cheers, Paul.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1CAF986C-46CC-4D8D-B18F-A208796483EF>