PF syntax error
Jon Radel
jon at radel.com
Wed Oct 15 21:04:46 UTC 2008
Ermal Luçi wrote:
> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick <koitsu at freebsd.org> wrote:
>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote:
>>> Hello,
>>>
>>> I am not sure if I should be here or over at a pf specific list but here
>>> is my problem.
>> I've changed the CC list, so this will now go to the freebsd-pf mailing
>> list instead.
>>
>>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving
>>> me problems.
>>>
>>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \
>>>
>>> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> global)
>
> Is it a copy-paste error or you forgot keep state in there?
> It should look
> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \
> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload
> <bruteforce> flush global)
And here I thought "keep state" was the default in the pf shipped with
FreeBSD 7.0....
Actually, it is, as is "flags S/SA" on TCP connections. Those defaults
came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0.
--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20081015/8376e2db/smime.bin
More information about the freebsd-pf
mailing list