From owner-freebsd-pf@freebsd.org Tue Aug 15 23:08:01 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2173DD32E6 for ; Tue, 15 Aug 2017 23:08:01 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta02p.bpe.bigpond.com (viclamta02p.bpe.bigpond.com [203.38.21.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C133563E1F for ; Tue, 15 Aug 2017 23:07:57 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep30p-svc.bpe.nexus.telstra.com.au with ESMTP id <20170815213739.XHRN10582.viclafep30p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Wed, 16 Aug 2017 07:37:39 +1000 X-RG-Spam: Unknown X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.8.15.203916:17:7.944, ip=, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __NO_HTML_TAG_RAW, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_400_499, __MIME_TEXT_P1, __MIME_TEXT_ONLY, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, __TO_REAL_NAMES, NO_URI_FOUND, NO_CTA_URI_FOUND, BODY_SIZE_1000_LESS, BODY_SIZE_2000_LESS, __MIME_TEXT_P, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.16-1) id 59816E020244CD78 for freebsd-pf@freebsd.org; Wed, 16 Aug 2017 07:37:39 +1000 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v7FLbcRi051963 for ; Wed, 16 Aug 2017 07:37:38 +1000 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v7FLbbMD051960 for ; Wed, 16 Aug 2017 07:37:38 +1000 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Wed, 16 Aug 2017 07:37:36 +1000 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Help with woodpecker config Message-ID: User-Agent: Alpine 2.21 (BSF 202 2017-01-01) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Aug 2017 23:08:02 -0000 I get a lot of woodpecker attempts on my mailserver i.e. a connection gets rejected for a variety of reasons (I have some fairly savage anti-spam measures) and they retry straight away. I've played with the "N connects in M seconds" stuff but cannot seem to get it to work (FreeBSD 10.3). Does anyone have a working config that they can share, to give me a leg up? Thanks. -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer." From owner-freebsd-pf@freebsd.org Wed Aug 16 19:52:54 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 714A1DCC94B for ; Wed, 16 Aug 2017 19:52:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5EDB66D0B4 for ; Wed, 16 Aug 2017 19:52:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v7GJqrxW091498 for ; Wed, 16 Aug 2017 19:52:54 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 221201] [pf] Prevent possible endless loop when searching for an unused nat port Date: Wed, 16 Aug 2017 19:52:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch, security X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: mfc-stable10? mfc-stable11? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2017 19:52:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221201 --- Comment #2 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Wed Aug 16 19:52:32 UTC 2017 New revision: 322591 URL: https://svnweb.freebsd.org/changeset/base/322591 Log: MFC r322280: pf_get_sport(): Prevent possible endless loop when searching for an unused nat port This is an import of Alexander Bluhm's OpenBSD commit r1.60, the first chunk had to be modified because on OpenBSD the 'cut' declaration is located elsewhere. Upstream report by Jingmin Zhou: https://marc.info/?l=3Dopenbsd-pf&m=3D150020133510896&w=3D2 OpenBSD commit message: Use a 32 bit variable to detect integer overflow when searching for an unused nat port. Prevents a possible endless loop if high port is 65535 or low port is 0. report and analysis Jingmin Zhou; OK sashan@ visa@ Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c PR: 221201 Submitted by: Fabian Keil Obtained from: OpenBSD via ElectroBSD Changes: _U stable/11/ stable/11/sys/netpfil/pf/pf_lb.c --=20 You are receiving this mail because: You are the assignee for the bug.=