Automating pfctl to block incoming connections and IPs

firewallipfwNetworkSecurity

I get a lot of unwanted traffic from Chinese IP addresses. I'm using an old Mac with OS X 10.7.5 (my Mac is ancient, so I cannot update further), so I imagine it's more vulnerable than a newer Mac would be.

This page gave an excellent tutorial about how to use pfctl to detect sshd "attackers" who violate certain rules and add them to a blacklist. In my naive understanding, this applies only to sshd connections.

How can I generalize that tutorial to block other kinds of traffic as well? In particular, I have unwanted traffic involving sshd, sshd-keygen-wrapper, and screensharingd, though I'd love to block any traffic that has too many simultaneous connections or too many attempts within a certain amount of time.

Best Answer

You can simply replace:

table <attackers> persist
block log quick from <attackers>
pass in quick proto tcp from any port ssh flags S/SA keep state (max-src-conn 3, max-src-conn-rate 5/60, overload <attackers> flush global)

with:

table <attackers> persist
block log quick from <attackers>
pass in quick proto tcp from any flags S/SA keep state (max-src-conn 3, max-src-conn-rate 5/60,  overload <attackers> flush global)

If you want to restrict this to single ports use: ... port {22, 443, 5900:5902} ... instead of ... port ssh ....

Best Answer

Related Solutions

“Accept incoming network connections” issue

Network Security – Should You Block Incoming Connections from ‘netbiosd’?

Related Question