Date: Thu, 5 Oct 2017 07:06:46 +0300 From: Max <maximos@als.nnov.ru> To: freebsd-pf@freebsd.org Subject: Re: Rate-limiting in PF Message-ID: <ec06d6a7-0a20-8cad-3470-3489ab9581e2@als.nnov.ru> In-Reply-To: <alpine.BSF.2.21.1710050853400.73049@aneurin.horsfall.org> References: <alpine.BSF.2.21.1710010949380.73049@aneurin.horsfall.org> <alpine.BSF.2.21.1710050853400.73049@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I think, it is exactly 5 connections per 60 seconds. What does "pfctl -sS | grep 114.100.182.206" show? 05.10.2017 1:02, Dave Horsfall пишет: > On Sun, 1 Oct 2017, Dave Horsfall wrote: > >> 10.3-RELEASE-p21 >> >> I am trying to restrict woodpecker attempts to my mail server (stupid >> spamware regards rejects and a long banner it as a challenge), and >> following advice on this list I used the following (the important >> bit, anyway): >> >> # >> # No more than 10/IP, or 5/m should be plenty. >> # >> pass inet proto tcp from any to any port smtp \ >> flags S/SA keep state \ >> (max-src-conn 10, max-src-conn-rate 5/60, \ >> overload <woodpeckers> flush global) > > The max-src-conn-rate does not work according to the sample that I > posted, and now I am having severe doubts about max-src-conn after all: > > Oct 4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct 4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct 4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct 4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct 4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > > [...] > > Oct 4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct 4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct 4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct 4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct 4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > > There were 498 in all. So, does the rate-limiting work and I am doing > something wrong, or does it not work but is documented, and thus is > vapourware? >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ec06d6a7-0a20-8cad-3470-3489ab9581e2>