From owner-freebsd-questions@FreeBSD.ORG Wed May 4 02:32:43 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AE7016A4CE for ; Wed, 4 May 2005 02:32:43 +0000 (GMT) Received: from gouda.acatysmoof.com (adsl-64-170-164-211.dsl.lsan03.pacbell.net [64.170.164.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id F08E143D73 for ; Wed, 4 May 2005 02:32:39 +0000 (GMT) (envelope-from SRS0=d4NNg3M9=TL=acatysmoof.com=alex@acatysmoof.com) Received: from www.acatysmoof.com (localhost [127.0.0.1]) by gouda.acatysmoof.com (8.12.11/8.12.9) with ESMTP id j442WVee002927 for ; Tue, 3 May 2005 19:32:35 -0700 (PDT) (envelope-from alex@acatysmoof.com) From: "Alex Teslik" To: Date: Tue, 3 May 2005 19:32:31 -0700 Message-Id: <20050504021412.M91151@acatysmoof.com> X-Mailer: Open WebMail 2.51 20050320 X-OriginatingIP: 64.170.164.211 (alex) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Virus-Scanned: clamd / ClamAV version 0.70, clamav-milter version 0.70j X-Spam-Flag: NO X-Scanned-By: milter-spamc/0.17.257 (gouda.acatysmoof.com [64.170.164.211]); Tue, 03 May 2005 19:32:37 -0700 X-Spam-Status: NO, hits=1.90 required=6.00 X-Spam-Level: * Subject: dynamically limit ip connections to ports over time? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2005 02:32:43 -0000 Hi all, I have been running a FreeBSD box for a few years. Over this time spammers and other unfriendlies have found my box and have been attacking at a slowly increasing rate. Every night the daily periodic scripts run and report to me the number of rejected mail hosts. Last week, one of the rejected mail hosts had the number of rejections listed at 3000. My hard drive has been getting louder and louder as it gets busier rejecting and logging all of these and now I would like to do something about it... but I'm not sure what I can do. When the hard drive is at its busiest I see mail being virus and spam scanned at a dizzying rate (tail -f /var/log/maillog), hence the hard drive grinding. What I would LIKE to do is allow any ip to connect to a port for a specified number of times per minute. If they connect too many times than I would like to freeze them out for a specified amount of time. This solution should be dynamic so that I don't need to constantly monitor the offending ip addresses. Originally, I thought I would attach a sendmail milter to do this, since mail cannons are my main problem right now. I looked at: http://www.milter.info/milter-limit/index.shtml but it requires manually adding a rule for each ip. Then I considered grey-listing: http://www.milter.info/milter-gris/index.shtml but I don't want to reject messages and cause mail delivery delays on my system. Finally, it occurred to me that the firewall would probably be a better solution and would have the nice side effect of limiting traffic to other ports as well. To try to accomplish this I have been reading a lot of IPFilter rules via google and lists, but I havn't found any that seems that it can do what I describe above - limit by ip over time. I'm sure this is not a unique problem - can someone point me in a helpful direction? Many Thanks P.S.- please cc my email address as I am not subscribed.