DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th November 2017
Lexus45 Lexus45 is offline
Port Guard
 
Join Date: May 2010
Location: Kurgan, Russia
Posts: 39
Default PF: limit number of incoming connectios during some time period

Hello all.

I wonder if there's an ability in PF like this one in iptables:
Code:
--dport 80 -m hashlimit --hashlimit-name WEBSRV --hashlimit-mode srcip --hashlimit-above 3/minute --hashlimit-htable-expire 120000 -j DROP
I read this http://man.openbsd.org/pf.conf.5#max-src-conn
And tried (don't worry, this is a VM and I have a "physical" access to it ):
Code:
pass in on $ext_if proto tcp from any to any port 22 keep state max-src-conn-rate 2/60
... but got en error while parsing the ruleset:
Code:
/etc/pf.conf:22: syntax error
Reply With Quote
  #2   (View Single Post)  
Old 8th November 2017
Lexus45 Lexus45 is offline
Port Guard
 
Join Date: May 2010
Location: Kurgan, Russia
Posts: 39
Default

Tried to do as in an example and no any errors now:
Code:
pass in on $ext_if proto tcp from any to any port 22 keep state (max-src-conn-rate 2/60, overload <bad_hosts> flush global)
So, I used several options in parentheses. But what if I do not want to use any additional options? Why the first variant does not work?
Reply With Quote
  #3   (View Single Post)  
Old 8th November 2017
Lexus45 Lexus45 is offline
Port Guard
 
Join Date: May 2010
Location: Kurgan, Russia
Posts: 39
Default

As usual, I got the answer myself

We just need to use parentheses, even if one option is specified:
Code:
pass in on $ext_if proto tcp from any to any port 22 keep state (max-src-conn-rate 2/60)
No errors after parsing or applying rules.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
BSDs 'lost' just because of this phone number 1-800-ITS-UNIX vermaden News 3 22nd November 2011 11:51 PM
postfix incoming only on external vdubjunkie General software and network 5 7th June 2009 08:02 PM
How to turn drives off after a period of time? drhowarddrfine FreeBSD General 9 3rd May 2009 12:05 PM
Number of Images exceeded 18Googol2 Feedback and Suggestions 2 10th May 2008 09:38 PM
I've never been number one in anything drhowarddrfine Off-Topic 4 1st May 2008 07:27 AM


All times are GMT. The time now is 11:20 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick