Menu
▾
▴
Re: [Sshguard-users] Problem blocking IP with sshguard 1.0 on FreeBSD
|
From: Mij <mi...@bi...> - 2007-12-16 15:19:41
|
On 12/dic/07, at 17:00, Ryan Phillips wrote:
> On Dec 12, 2007 9:54 AM, Ryan Phillips <tro...@gm...> wrote:
>> On Dec 12, 2007 9:11 AM, Ryan Phillips <tro...@gm...> wrote:
>>> Hi All,
>>>
>>> I have been using the pre-1.0 release perfectly fine, but something
>>> broke with the latest ports update to 1.0. It doesn't appear that a
>>> user is getting blocked by the firewall.
>>>
>>> Any help would be appreciated.
>>>
>>
>> Sorry for the noise... SSH was listening on all interfaces and the pf
>> rule only blocked on one.
>>
>> For historical sake: block in quick from <sshguard> to any
>
> I guess the 'on' directive would have taken care of that scenario.
> I'm a newb with pf.
>
> Any comments with this problem would be appreciated.
"on $ext_if" matches all the traffic coming in to the ext_if physical
interface, so
yes, in case that you have multiple addressess assigned to one
physical interface.
If instead ssh is reachable from different addressess on different
interfaces, "on"
is just a limitation, and you should instead use something like
block in quick from <sshguard> to any port 22 label "ssh
bruteforce"
or use multiple rules with "on $intrf" for every external interface.
The advantage of using "on $interface" is that you protect LAN
addresses from being
blocked, even if they behave like attackers. Of course this can be
managed by sshguard
itself with whitelisting anyway.
|
