promt solution with max-src-conn-rate
GreenX FreeBSD
freebsd at azimut-tour.ru
Mon May 15 04:24:14 UTC 2006
Hi,
I wish to make so: for that that the port ssh for certain IP would open,
it is necessary in the beginning will be knocked on other port.
While I have written about such rules:
block all
pass in quick on $int_if inet proto tcp from any to $int_if port http
keep state (max-src-conn-rate 1/60, overload <sshen>)
pass quick inet proto tcp from <sshen> to $int_if port ssh
They work, but there are some things not arranging me:
- If to change port http for any other empty port (on http post, I have
working apache) source IP does not get in the table though state it is
created.
- To be knocked it is necessary two times:) since max-src-conn-rate it
is not allowed to set a zero.
Somebody was engaged in similar distortions?
Or somebody knows as to solve this task in another with PF?
Best regards, GReenX.
More information about the freebsd-pf
mailing list