Date: Wed, 15 Oct 2008 16:22:59 -0500 From: Peter Clark <clarkp@mtmary.edu> To: Yury Michurin <yury.michurin@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: PF syntax error Message-ID: <48F65F33.9060200@mtmary.edu> In-Reply-To: <692c9a9f0810151405t3e573cfs3fd4d2a801110c89@mail.gmail.com> References: <48F621C2.8080405@mtmary.edu> <692c9a9f0810151405t3e573cfs3fd4d2a801110c89@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yury Michurin wrote: > Hello, > I have in my pf.conf: > pass in proto tcp from !<ABUSERS> to any port www flags S/SA synproxy > state (max-src-conn 20, max-src-conn-rate 30/60, overload <ABUSERS> > flush global) > > and it seems to work just fine... > > Regards, > Yury. > > On Wed, Oct 15, 2008 at 7:00 PM, Peter Clark <clarkp@mtmary.edu > <mailto:clarkp@mtmary.edu>> wrote: > > Hello, > > I am not sure if I should be here or over at a pf specific list but > here is my problem. > > I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is > giving me problems. > > pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ > (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> > flush global) > > Actually the "pass in" line does not generate the error. The next > line does. > > /etc/pf.conf:71: syntax error > If I remove the line the error goes away (obviously). I have tried > using the exact line from the FreeBSD pf.conf man page: > > (max-src-conn-rate 100/10, overload <bad_hosts> flush global) > > (I changed <bad_hosts> to <bruteforce>)and that generates the same > error. I tried just using: > (max-src-conn-rate 100/10) > > but that too gives me a syntax error. > > Any help is appreciated. > > Peter Clark > > _______________________________________________ > freebsd-questions@freebsd.org <mailto:freebsd-questions@freebsd.org> > mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org > <mailto:freebsd-questions-unsubscribe@freebsd.org>" > > It is because I do not have a "keep state" directive in mine. I took it out because the pf 4.1 default is "flags S/SA keep state". Yours works because you have the synproxy state directive. Thanks, Peter Clark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F65F33.9060200>