Date: Sat, 16 Jun 2012 21:14:20 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: prabhpal@digital-infotech.net Cc: freebsd-stable@freebsd.org Subject: Re: USE PF to Prevent SMTP Brute Force Attacks - Resolved !!! Message-ID: <4FDCE91C.9040005@infracaninophile.co.uk> In-Reply-To: <69642fed4fe6d9fb794eaedf2557cd8f.squirrel@mail.digital-infotech.net> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> <4FDB6490.8080509@infracaninophile.co.uk> <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> <4FDB6CBD.6080900@infracaninophile.co.uk> <738cbc31aa2dce5787dc85cafb3d02a6.squirrel@mail.digital-infotech.net> <69642fed4fe6d9fb794eaedf2557cd8f.squirrel@mail.digital-infotech.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5322E732B5595E22B756819F
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 16/06/2012 21:03, Shiv. Nath wrote:
> Dear Metthew,
Matthew, one a, one e.
> first thanks for assisting to secure 22/25 ports from brute force attac=
k.
> i wish to consult if the following white list looks fine to exclude
> trusted networks (own network)
>=20
>=20
>=20
> int0=3D"em0"
> secured_attack_ports=3D"{21,22,25}"
>=20
> table <bruteforce> persist
> block in log quick from <bruteforce>
> pass in on $int0 proto tcp \
> from any to $int0 port $secured_attack_ports \
> flags S/SA keep state \
> (max-src-conn-rate 5/300, overload <bruteforce> flush global)
>=20
>=20
> ## Exclude Own Netowrk From Brute-Force Rule ##
>=20
> table <own_network> persist {71.221.25.0/24, 71.139.22.0/24}
> pass in on $int0 proto tcp from <own_network> to any
>=20
> OR
>=20
> pass in on $int0 proto tcp from <own_network> to secured_attack_ports
^^^^^^^^^^^^^^^^^^^^^
$secured_attack_ports
You seem to have missed out a $ sign there.
But, yes, other than that it looks good looks good. You want to move
the table definitions up to the top of the file and as you've shown, you
want your network specific rule after the more generic rate-limited
accept rule: remember that (except for quick rules) it's the last
matching rule in the ruleset that applies.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enig5322E732B5595E22B756819F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/c6SQACgkQ8Mjk52CukIyLIACfeCaDbqCoL+MPf1h17jkGKxS7
3Q0An3DnquxOx3pK5C/7CgYq0qQfiy/Q
=ECC5
-----END PGP SIGNATURE-----
--------------enig5322E732B5595E22B756819F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FDCE91C.9040005>