# What are these sshguard rules actually doing?



## max21 (Nov 5, 2017)

This is the standard way for sshguard to protect ssh connections including all else, but I think its only design work for black/white listing ...
block in quick on $ext_if from <sshguard> label "ssh bruteforce"

What is the difference in these two rules below?  How do they work?  I’m guessing that the one with inet is used to protect a server and the one without is more suited for a desktop or workstation.  Both are doing logging, but one has also added a way to do blacklisting.  If so, I wonder if they can be combine like explain below in the block drop method.  My main concern is which is best, and why.

```
block in log quick on $ext_if from <sshguard> label "ssh bruteforce"
...
block drop in log quick on $ext_if inet from <sshguard> to any
```
What would happen if I add the "ssh bruteforce" part to the one with the inet type rule, or is it even possible?  If this sequent does works, what would it be doing?

```
block drop in log quick on $ext_if inet from <sshguard> label "ssh bruteforce"
```
If it don’t work, how should it be written?


----------



## SirDice (Nov 6, 2017)

Both lines do exactly the same, drop is the default block action. The label is just that, a label. The inet keyword is implied, it's just a moniker to indicate IPv4, which is also the default if you don't supply it.


----------

