In a recent battle at work I put a Cisco 2960G up against a Dell PowerConnect 5424. The PowerConnects aren’t bad… They’re cheap, gigabit, and Layer-2. Anyway, I quickly found out that unless you use GVRP, the Dell cannot learn what VLANs are out there. You have to specify allowed VLANS specifically on both ends of a trunk.

The Cisco 2960G doesn’t support GVRP, and VTP is proprietary, so I was forced to use this method.

On the Cisco:

switchport mode trunk
switchport trunk allowed vlan add 2,100,101
switchport nonegotiate

On the Dell:

switchport mode trunk
switchport trunk allowed vlan add 2,100,101

Either way, there’s a quick & easy way to try to stop these annoying bots or whatever they are from bugging your server with PF.  Basically, on your rule where you pass SSH connections in through the firewall you can set a ‘max-src-conn-rate’ or maximum source connection rate.  What this does is triggers something to happen when a host connects faster than a certain rate of allowed new connections.  In our case we’ll want to dump these users into a table that blocks everything from them.  So we create the table:

table <ssh-bruteforce> persist

The rule to drop people who are clearly spamming into our ssh-bruteforce table is:

pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn-rate 4/30, overload <ssh-bruteforce> flush global)

Where the connection rate is 4 connections in 30 seconds (4/30).  From this point on, you just want to block them.  You can do that with:

block in log quick on $ext_if from <ssh-bruteforce>

Now anybody who tries to esablish connections faster than the rate specified in the pass rule gets dumped into that table, and blocked from accessing anything at all on your server. 

mhoran++