pflog and reason
Max
maximos at als.nnov.ru
Fri Mar 12 05:25:57 UTC 2021
You can use overload option.
"With the overload <table> state option, source IP addresses which hit
either of the limits on established connections will be added to the
named table."
pass out log quick on $if_lan inet proto tcp to $rdp_int port rdp keep
state \
(max-src-conn-rate 15/86400, overload <rdp-bruteforce> flush global)
# pfctl -t rdp-bruteforce -vTs
222.214.161.232
Cleared: Thu Mar 4 08:09:50 2021
According to https://www.freebsd.org/cgi/man.cgi?query=pcap-filter&sektion=7
reason code
True if the packet was logged with the specified PF reason code.
The known codes are: match, bad-offset, fragment, short,
normal-
ize, and memory (applies only to packets logged by
OpenBSD's or
FreeBSD's pf(4)).
11.03.2021 22:17, mike tancsa пишет:
> I am trying to track down the IPs that are hitting my src limits, but I
> dont seem them logged. According to
>
> https://www.freebsd.org/cgi/man.cgi?query=pflogd&sektion=8
>
> I should be able to see the reason something got blocked
>
> e.g. if I have something like
>
>
> pass in log on $outside_nic proto tcp from any to $http_server port 80
> keep state (max 25 max-src-conn-rate 2/60)
>
> How would I find the IP that is tripping up the max state rule or
> max-src-conn-rate ?
>
> Looking at
>
> pfctl -sinfo -v
>
> Limit Counters
> max states per rule 293319 0.2/s
> max-src-states 0 0.0/s
> max-src-nodes 0 0.0/s
> max-src-conn 0 0.0/s
> max-src-conn-rate 10273 0.0/s
> overload table insertion 0 0.0/s
> overload flush states 0 0.0/s
>
> The counters are increasing, but I never see it in pflog
>
> tcpdump -tttt -nei pflog0 -s0 reason state-limit or reason src-limit
>
> ---Mike
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list