Date: Sun, 11 Feb 2007 08:54:03 -0600 From: "eculp@encontacto.net" <eculp@encontacto.net> To: Volker <volker@vwsoft.com> Cc: freebsd-pf@freebsd.org Subject: Re: Re: SPAMD stop passing mail from WHITE-list Message-ID: <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> In-Reply-To: <45CC707C.5030608@vwsoft.com> References: <E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru> <45C5D5DB.9050407@vwsoft.com> <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> <45CC707C.5030608@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Volker <volker@vwsoft.com>: > Ed, > <SNIP /> Hi Volker, I just set up a machine using your suggestions, correctly I hope ;) > Nope, that's the wrong way. You let pass smtp (by a quick rule) but > the block rule is after that. That is rendering your blocklist > useless as all traffic is passing by the first rule. > > AFAIK the first connection causing an overload is being dropped but > subsequent connections are still passing (as long as they don't > overload). > > It should look like: > > block drop in quick on $ext_if from <blockhosts> to any > > pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp > keep state ( max-src-conn [ANYVAL], max-src-conn-rate > [ANYVAL]/[ANYTIME], overload <blockhosts> flush global ) I have set it up as: block drop in quick on $ext_if from <blocksmtp> to any pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep state \ ( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp> flush global ) I'm still not flushing the table with tableexpire as I do with my bruteforce ssh table from crontab. I want to evaluate the entries for a while first. I chose max-src-conn 5 because that is the max number of connections per IP in courier. I assume that should work and if I change it, I would think that I should probably change the courier esmtpd configuration also. Time will tell I guess. > Whenever any host is overloading ssh or smtp access, I'm loading > their IP address into the blockhosts table and so the machine will > never again talk to that IP address (forever!). You may want to do > it different (for example flushing the table once a week or at > midnight). One machine running this for months has already blocked > 1400 IP addresses and as far as I've checked, all have been dynamic > zombies (no regular mail clients have been blocked by that). > I haven't found a way to use that mechanism to block such hosts for, > say 120 minutes (which would be a great feature). For my ssh-bruteforce table I am using a crontab entry to expire the entries every 30 minutes. Just in case I shoot myself in the foot, the pain is reduced to half an hour. ;) */30 * * * * root \ /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1 Thanks so much for sharing your configuration and advice. ed > >> Could it work and be controlable or would it make a bad situation worse? > > You may use a blocking mechanism like that for any other host > service, too. If you're going to use that for UDP "connections" you > should be aware that they're connectionless and so options like " > max-src-connXXX" don't match here. > > HTH, > > Volker >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070211085403.70hvjlstbks0wk8g>