Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 1 Oct 2017 11:10:20 +1100 (EST)
From:      Dave Horsfall <dave@horsfall.org>
To:        FreeBSD PF List <freebsd-pf@freebsd.org>
Subject:   Rate-limiting in PF
Message-ID:  <alpine.BSF.2.21.1710010949380.73049@aneurin.horsfall.org>
next in thread | raw e-mail | index | archive | help 
10.3-RELEASE-p21

I am trying to restrict woodpecker attempts to my mail server (stupid 
spamware regards rejects and a long banner it as a challenge), and 
following advice on this list I used the following (the important bit, 
anyway):

     #
     # No more than 10/IP, or 5/m should be plenty.
     #
     pass inet proto tcp from any to any port smtp \
 	flags S/SA keep state \
 	(max-src-conn 10, max-src-conn-rate 5/60, \
 	overload <woodpeckers> flush global)

And here is a sample log; I can see that the 10/IP works, but the 5/m does
not seem to be blocking the 10s attempts:

Oct  1 09:40:44 aneurin sm-mta[73002]: v8UMeZml073002: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:40:55 aneurin sm-mta[73003]: v8UMejQm073003: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:41:06 aneurin sm-mta[73004]: v8UMeuVT073004: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:41:17 aneurin sm-mta[73005]: v8UMf6gp073005: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:41:28 aneurin sm-mta[73006]: v8UMfH58073006: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:41:40 aneurin sm-mta[73007]: v8UMfTfK073007: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:41:52 aneurin sm-mta[73008]: v8UMfgXH073008: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:42:03 aneurin sm-mta[73010]: v8UMfrxc073010: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:42:14 aneurin sm-mta[73011]: v8UMg4x4073011: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct  1 09:42:25 aneurin sm-mta[73012]: v8UMgFNw073012: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4

What have I done wrong?  Does max-src-conn-rate actually work?

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.21.1710010949380.73049>