From owner-freebsd-pf@FreeBSD.ORG  Wed Feb  9 01:36:45 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D04BF106564A
	for <freebsd-pf@FreeBSD.org>; Wed,  9 Feb 2011 01:36:45 +0000 (UTC)
	(envelope-from jumper99@gmx.de)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23])
	by mx1.freebsd.org (Postfix) with SMTP id 1F7168FC0A
	for <freebsd-pf@FreeBSD.org>; Wed,  9 Feb 2011 01:36:44 +0000 (UTC)
Received: (qmail invoked by alias); 09 Feb 2011 01:36:43 -0000
Received: from p5DCD7AF7.dip.t-dialin.net (EHLO ORPHEUS) [93.205.122.247]
	by mail.gmx.net (mp071) with SMTP; 09 Feb 2011 02:36:43 +0100
X-Authenticated: #682707
X-Provags-ID: V01U2FsdGVkX19zaLNCxi9zBHLAX8EdqZgyUQF8ovCuCh0atr9F7N
	pgS0OLdj8Q9yNG
Message-ID: <7919038DEA4842A597EB84C9FD717FA7@charlieroot.de>
From: "Helmut Schneider" <jumper99@gmx.de>
To: "Vadym Chepkov" <vchepkov@gmail.com>
References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
	<5A0B04327C334DA18745BFDBDBECE055@charlieroot.de>
	<A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com>
	<98689EFE59404E4B838E79071AABA8B4@charlieroot.de>
	<56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com>
	<A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>
In-Reply-To: <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>
Date: Wed, 9 Feb 2011 02:36:43 +0100
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416
X-Antivirus: avast! (VPS 110208-1, 08.02.2011), Outbound message
X-Antivirus-Status: Clean
X-Y-GMX-Trusted: 0
Cc: freebsd-pf@FreeBSD.org
Subject: Re: brutal SSH attacks
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2011 01:36:45 -0000

> Here are entries with pass in log enabled:
>
> 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 > 
> 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss 
> 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0

And 38.x.x.x is the external ip of your gateway?! (my last guess for 
today^Wtonight...)