search for: autoblock

...020, at 22:14, Greg Troxel <gdt at lexort.com >> <mailto:gdt at lexort.com>> wrote: >>> I think you need to use tcpdump and turn up firewall debugging. >> sngrep is your friend …My bet is UDP vs TCP on firewall rules :-) > block drop in log quick on bge0 from <AUTOBLOCK> to any > block drop out log quick on bge0 from any to <AUTOBLOCK> > > Am I misunderstanding pf? I thought that that would block TCP, UDP, > ICMP and anything else trying to get through. > > Since I started looking at this closer I did find that only some > connection...

On 1 Apr 2020, at 22:14, Greg Troxel <gdt at lexort.com> wrote: > > I think you need to use tcpdump and turn up firewall debugging. sngrep is your friend …My bet is UDP vs TCP on firewall rules :-) Mark -------------- next part -------------- An HTML attachment was scrubbed... URL:

...hing that matches the original "connection", even if UDP. Here is the first four lines from "pfctl -sr": pass in quick on bge0 from <FRIENDS> to any flags S/SA keep state block drop in log quick on bge0 from <ENEMIES> to any block drop in log quick on bge0 from <AUTOBLOCK> to any block drop out log quick on bge0 from any to <AUTOBLOCK> Unless pf is broken I can't see how anything besides my "friends" can be getting through. >> The weird thing is that the attempts don't stop. That IP continues to >> try different numbers. Th...

...'' (45.143.220.235:5356) to extension '2037' rejected because extension not found in context 'unauthenticated'. I have a script that checks for things like this and adds them to my packet filter (pf). Everything seems to work up to a point. The IP address gets added to my AUTOBLOCK table. The second rule, right after the friends whitelist, blocks any IP in that table. If I try to ping or traceroute to it I can't get through. I ran netstat -a and sockstat -c and the IP address does not show up in the connections. Every test suggests that the system is doing exactly wha...

...2020, at 22:14, Greg Troxel <gdt at lexort.com > <mailto:gdt at lexort.com>> wrote: >> >> I think you need to use tcpdump and turn up firewall debugging. > > sngrep is your friend …My bet is UDP vs TCP on firewall rules :-) block drop in log quick on bge0 from <AUTOBLOCK> to any block drop out log quick on bge0 from any to <AUTOBLOCK> Am I misunderstanding pf? I thought that that would block TCP, UDP, ICMP and anything else trying to get through. Since I started looking at this closer I did find that only some connections have this problem. Most get bl...

...Larry Moore wrote: > I suspect you have a good understanding of pf. Pretty good I think. As with everything I am always willing to learn more. > Have you included in your script running 'pfctl -k <ip_address>' to kill > any states that may exists after you update your <AUTOBLOCK> table? I haven't yet because I want to watch the effect of doing it. When I see the problem happening I run that manually and watch to see if it stops the attack in its tracks or if I still have to null-route it. Once I know that it is working I will add it to the script. > In pf, lik...

...n <darcy at VybeNetworks.com> writes: > Here is the first four lines from "pfctl -sr": > > pass in quick on bge0 from <FRIENDS> to any flags S/SA keep state > block drop in log quick on bge0 from <ENEMIES> to any > block drop in log quick on bge0 from <AUTOBLOCK> to any > block drop out log quick on bge0 from any to <AUTOBLOCK> agreed that I can't see it. >> You say "continues to try", but surely you are not surprised that >> packets arrive at your computer. I think you are surprised that they >> make it to as...

D'Arcy Cain <darcy at VybeNetworks.com> writes: > I have a script that checks for things like this and adds them to my > packet filter (pf). Everything seems to work up to a point. The IP > address gets added to my AUTOBLOCK table. The second rule, right after > the friends whitelist, blocks any IP in that table. If I try to ping or > traceroute to it I can't get through. I ran netstat -a and sockstat -c > and the IP address does not show up in the connections. Every test > suggests that the system...

...wing attempts to connect from an ip address after a certain number of failures. My logs tend to fill up after a night of script kiddy hell. 1) There should be a way to turn this off/on 2) A way to get the list and re-enable/remove an ip address. 3) A attempt count setting so that after X failures autoblocking happens I've grown very accustomed to something similar on AS400's. It very hanndy to have. thanx, -jj- ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts.