Date: Thu, 5 Oct 2017 09:02:31 +1100 (EST) From: Dave Horsfall <dave@horsfall.org> To: FreeBSD PF List <freebsd-pf@freebsd.org> Subject: Re: Rate-limiting in PF Message-ID: <alpine.BSF.2.21.1710050853400.73049@aneurin.horsfall.org> In-Reply-To: <alpine.BSF.2.21.1710010949380.73049@aneurin.horsfall.org> References: <alpine.BSF.2.21.1710010949380.73049@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 1 Oct 2017, Dave Horsfall wrote: > 10.3-RELEASE-p21 > > I am trying to restrict woodpecker attempts to my mail server (stupid > spamware regards rejects and a long banner it as a challenge), and > following advice on this list I used the following (the important bit, > anyway): > > # > # No more than 10/IP, or 5/m should be plenty. > # > pass inet proto tcp from any to any port smtp \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 5/60, \ > overload <woodpeckers> flush global) The max-src-conn-rate does not work according to the sample that I posted, and now I am having severe doubts about max-src-conn after all: Oct 4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 [...] Oct 4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 There were 498 in all. So, does the rate-limiting work and I am doing something wrong, or does it not work but is documented, and thus is vapourware? -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.21.1710050853400.73049>