# Need Help With Basic PF Rules



## rob34 (Feb 24, 2009)

I have a machine running FreeBSD 7.1 on my home network.  It sits behind my router/firewall and the only internet traffic it sees is for ssh.  I am new to PF (and firewalls in general) and am trying to write a rule which will simply block any host that tries to connect more than 3 times per minute while allowing all local traffic (192.168.*.*) to pass with no blocking.

I've read various articles and I think I have something close, but it does not block ssh even if I connect 10 times per minute.  

Thanks in advance for any help you may be able to provide.



Contents of my pf.conf file:

```
int_if="fxp0"

table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $int_if proto tcp to 192.168.0.0/24 \
    port ssh flags S/SA keep state \
    (max-src-conn 10, max-src-conn-rate 3/60, overload <abusive_hosts> flush)
```


----------



## obcecado (Mar 3, 2009)

Hi, i would try the follwowing:

```
int_if="fxp0"

table <abusive_hosts> persist
block in quick from <abusive_hosts>


pass proto { tcp, udp } from any to any port ssh \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 3/60, \
        overload <bruteforce> flush global)
pass quick proto { tcp, udp } from 192.168.0.0/24 to any port ssh
```


----------



## rob34 (Mar 13, 2009)

Thanks- your rule worked.  All I had to do was rename the bruteforce table to abusive_hosts to make it work.


----------

