Another panic in 1.6.x
Petr Janda
elekktretterr at exemail.com.au
Fri Sep 8 18:25:15 PDT 2006
My pf.conf is just a simple one:
ext_if="fxp0"
table <ssh-bruteforce>
block drop in quick on $ext_if from <ssh-bruteforce>
block in
pass out keep state
pass quick on { lo }
antispoof quick for { lo, fxp0 }
#pass in on $ext_if proto tcp to ($ext_if) port ssh \
# flags S/SA keep state \
# (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
pass in on $ext_if proto tcp to ($ext_if) port { ssh, smtp, imap, http,
domain } keep state
pass in on $ext_if proto udp to ($ext_if) port { domain } keep state
The commented section blocks script kiddies, unfortunately it doesnt
work in our PF version. Hence why its commented.
Petr
Gergo Szakal wrote:
Simon 'corecode' Schubert wrote:
Petr Janda wrote:
Have you tried consulting the PF devs?
of course. nobody could tell us the cause, it is not a known
problem. something damages the state tables.
Guys, next week I will deploy a filtering bridge running 1.6.1. 20-30k
states are expectable. Hope I can crash it and tell you what is wrong.
Petr, could you show me your rules file? I recall having freeezes and
device incompatibilities if PF under OpenBSD 3.7 (I use 3.8 and 3.9
now) and maybe we have something in common.
More information about the Bugs
mailing list