Date: Thu, 5 Oct 2017 00:56:00 +0100 From: Vincent Hoffman-Kazlauskas <vince@unsane.co.uk> To: freebsd-pf@freebsd.org Subject: Re: Rate-limiting in PF Message-ID: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> In-Reply-To: <alpine.BSF.2.21.1710050853400.73049@aneurin.horsfall.org> References: <alpine.BSF.2.21.1710010949380.73049@aneurin.horsfall.org> <alpine.BSF.2.21.1710050853400.73049@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/10/2017 23:02, Dave Horsfall wrote: > On Sun, 1 Oct 2017, Dave Horsfall wrote: > >> 10.3-RELEASE-p21 >> >> I am trying to restrict woodpecker attempts to my mail server (stupid >> spamware regards rejects and a long banner it as a challenge), and >> following advice on this list I used the following (the important bit, >> anyway): >> >> # >> # No more than 10/IP, or 5/m should be plenty. >> # >> pass inet proto tcp from any to any port smtp \ >> flags S/SA keep state \ >> (max-src-conn 10, max-src-conn-rate 5/60, \ >> overload <woodpeckers> flush global) > > The max-src-conn-rate does not work according to the sample that I > posted, and now I am having severe doubts about max-src-conn after all: > > Oct 4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > > [...] > > Oct 4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > > There were 498 in all. So, does the rate-limiting work and I am doing > something wrong, or does it not work but is documented, and thus is > vapourware? > I'm a bit out of practice but IIRC what your rule does is if an ip hits those limits then add the ip to the woodpeckers table ie classification not policing. What rules do you have that act on that table? ie do you have a block rule like block drop quick from <woodpeckers> to any? is anything added to the table (pfctl -t woodpeckers -T show) If there is dont forget to expire them after a while unless you want them permanently banned, a cron with something like "pfctl -t woodpeckers -T expire 3600" iirc Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3dc9c2a9-ae68-1e56-d2b1-12530772690f>