On Sun, 3 Nov 2024, at 10:08 AM, Kerin Millar wrote: > On Sun, 3 Nov 2024, at 7:51 AM, Lars Noodén wrote: >> Greetings, >> >> There is some discussion on another list about dealing with the problem >> of a type of spoofed SSH connection. Here is a description of the >> problem, along with how to use tcpdump to identify it: >> >> https://delroth.net/posts/spoofed-mass-scan-abuse/ >> >> One solution offered in a message on the other list was to add the >> following rule into its own table: >> >> nft add rule ip accounting input \ >> tcp sport 22 tcp flags == syn\|ack counter >> >> The following seems to load without error and I have some beginner level >> questions. Specifically, I wonder how or if it does the job. > > For that rule to be of any conceivable value, you would have to refrain > from ever using your host to connect to an instance of sshd(8) that is > listening on port 22. Moreover, it does not account for RST > backscatter, should that be the job in question. Upon reading your post a second time, I noticed that your sample ruleset already contains a rule that depends upon connection tracking. As such, you could use state matching to assist in accounting for backscatter. table ip filter4 { chain input { type filter hook input priority filter; policy drop; ct state invalid goto invalid # ... } chain invalid { tcp flags == syn|ack counter comment "possible backscatter from bound port" tcp flags == rst|ack log counter comment "possible backscatter from unbound, unfiltered port" } } Owing to the use of goto, this would also serve to have invalid packets be dropped. On a different note, rules such as the one below are incorrect. iif "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept The lo interface is used for all packets that both originate from - and are destined to - addresses belonging to the host. You should remove the "ip saddr" and "ip daddr" components. -- Kerin Millar