From owner-freebsd-pf@FreeBSD.ORG Sun Feb 11 14:54:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C992416A400 for ; Sun, 11 Feb 2007 14:54:07 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from farris.bafirst.com (adsl-065-081-102-002.sip.jan.bellsouth.net [65.81.102.2]) by mx1.freebsd.org (Postfix) with ESMTP id 5DD2D13C49D for ; Sun, 11 Feb 2007 14:54:07 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.2.116]) by farris.bafirst.com with esmtp; Sun, 11 Feb 2007 08:54:05 -0600 id 0006D41F.45CF2E0D.00015EE0 Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Sun, 11 Feb 2007 08:54:04 -0600 id 0004AC20.45CF2E0C.00002C2C Received: from dsl-189-129-2-116.prod-infinitum.com.mx (dsl-189-129-2-116.prod-infinitum.com.mx [189.129.2.116]) by correo.encontacto.net (Horde MIME library) with HTTP; Sun, 11 Feb 2007 08:54:03 -0600 Message-ID: <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> X-Priority: 3 (Normal) Date: Sun, 11 Feb 2007 08:54:03 -0600 From: "eculp@encontacto.net" To: Volker References: <45C5D5DB.9050407@vwsoft.com> <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> <45CC707C.5030608@vwsoft.com> In-Reply-To: <45CC707C.5030608@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) Cc: freebsd-pf@freebsd.org Subject: Re: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Feb 2007 14:54:07 -0000 Quoting Volker : > Ed, > Hi Volker, I just set up a machine using your suggestions, correctly I hope ;) > Nope, that's the wrong way. You let pass smtp (by a quick rule) but > the block rule is after that. That is rendering your blocklist > useless as all traffic is passing by the first rule. > > AFAIK the first connection causing an overload is being dropped but > subsequent connections are still passing (as long as they don't > overload). > > It should look like: > > block drop in quick on $ext_if from to any > > pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp > keep state ( max-src-conn [ANYVAL], max-src-conn-rate > [ANYVAL]/[ANYTIME], overload flush global ) I have set it up as: block drop in quick on $ext_if from to any pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp =20 keep state \ ( max-src-conn 5, max-src-conn-rate 80/90, overload =20 flush global ) I'm still not flushing the table with tableexpire as I do with my =20 bruteforce ssh table from crontab. I want to evaluate the entries for =20 a while first. I chose max-src-conn 5 because that is the max number of connections =20 per IP in courier. I assume that should work and if I change it, I =20 would think that I should probably change the courier esmtpd =20 configuration also. Time will tell I guess. > Whenever any host is overloading ssh or smtp access, I'm loading > their IP address into the blockhosts table and so the machine will > never again talk to that IP address (forever!). You may want to do > it different (for example flushing the table once a week or at > midnight). One machine running this for months has already blocked > 1400 IP addresses and as far as I've checked, all have been dynamic > zombies (no regular mail clients have been blocked by that). > I haven't found a way to use that mechanism to block such hosts for, > say 120 minutes (which would be a great feature). For my ssh-bruteforce table I am using a crontab entry to expire the =20 entries every 30 minutes. Just in case I shoot myself in the foot, =20 the pain is reduced to half an hour. ;) */30 * * * * root \ /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1 Thanks so much for sharing your configuration and advice. ed > >> Could it work and be controlable or would it make a bad situation worse? > > You may use a blocking mechanism like that for any other host > service, too. If you're going to use that for UDP "connections" you > should be aware that they're connectionless and so options like " > max-src-connXXX" don't match here. > > HTH, > > Volker >