Max Connections / Per Second Question

  • I might be confused about how this setting works. I had set this to restrict SSH access with 3 connection per 240 seconds.

    My assumption was that the 4th SSH connection would be blocked but connections to to other ports would be allowed. However ALL connections from that IP are blocked to any port. Is this the intended operation?

    From my testing it seems that connections from that IP to ANY port after the IP is blocked resets the 240 second wait period? Or the wait period in seconds is being calculated wrong as just tested this out and its been 10+ minutes and it still won't let me back in.

    Is there any over to unblock the IP view the webgui? I tried to reset the state table without success. Making a firewall rule change and applying, which reloads the firewall rules didn't unblock it either.

    The reason I ask is that this doesn't work well for users that access my server behind a NAT. One mistake and the everyone is blocked out to all ports. If it just blocked the SSH port then this would work well.

    Maybe the best thing to do is just implement something on the box with SSH itself.

  • When you exceed the connection limits specified by the rule, it puts the offending IP into an internal table that is totally blocked (I think it's virusprot…). The table is cleared when you reboot, or you could clear it manually from a shell with pfctl... I forget the exact syntax...
    EDIT- something like this:
    pfctl -t virusprot -T delete

  • Thanks for the explanation. This makes sense now. I think the blocks are cleared automatically after a designated time as I was eventually able to access the machine an hour or so later. Although I wonder if a webgui interface for viewing and or removing IP blocks would be useful?

  • I think it would be cool to be able to drop to a custom table (instead of the hidden virusprot table) as defined in Aliases. Then you could add and delete from it via the webgui…

  • I did some more searching on this and the above is all correct.

    At the moment an
    attackers IP address is globally blocked by one rule (see below), if he
    exceeds the limit of connections per timeslot:

    block in quick from <virusprot>to any label "virusprot overload table"

    What I want, is something like this:

    block in quick proto tcp from <virusprot>to any port 22 label
                                                  "virusprot overload table"</virusprot></virusprot>

  • We reset the table very hour or so.  I also agree that converting it to a alias of some sort would be neat but since the table is cleared often it might not make sense.  Maybe a view of the tables contents allowing someone to delete an item would be a good idea..

  • @sullrich:

    Maybe a view of the tables contents allowing someone to delete an item would be a good idea..

    This along with a way to block the IP entirely or just that IP's port. Neither of these is a big deal since I understand how it works now. Just icing on the cake.

Log in to reply