Another panic in 1.6.x

Petr Janda elekktretterr at
Fri Sep 8 18:25:15 PDT 2006

My pf.conf is just a simple one:


table <ssh-bruteforce>
block drop in quick on $ext_if from <ssh-bruteforce>
block in
pass out keep state
pass quick on { lo }
antispoof quick for { lo, fxp0 }
#pass in on $ext_if proto tcp to ($ext_if) port ssh \
#       flags S/SA keep state \
#       (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
pass in on $ext_if proto tcp to ($ext_if) port { ssh, smtp, imap, http, 
domain } keep state
pass in on $ext_if proto udp to ($ext_if) port { domain } keep state

The commented section blocks script kiddies, unfortunately it doesnt 
work in our PF version. Hence why its commented.


Gergo Szakal wrote:
Simon 'corecode' Schubert wrote:
Petr Janda wrote:
Have you tried consulting the PF devs?
of course.  nobody could tell us the cause, it is not a known 
problem.  something damages the state tables.
Guys, next week I will deploy a filtering bridge running 1.6.1. 20-30k 
states are expectable. Hope I can crash it and tell you what is wrong.
Petr, could you show me your rules file? I recall having freeezes and 
device incompatibilities if PF under OpenBSD 3.7 (I use 3.8 and 3.9 
now) and maybe we have something in common.

More information about the Bugs mailing list