From owner-freebsd-pf@freebsd.org Sun Oct 1 02:11:43 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52920E34503 for ; Sun, 1 Oct 2017 02:11:43 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta25p.bpe.bigpond.com (viclamta25p.bpe.bigpond.com [203.38.21.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4930F3807 for ; Sun, 1 Oct 2017 02:11:39 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep10p-svc.bpe.nexus.telstra.com.au with ESMTP id <20171001001022.ZVPG20093.viclafep10p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Sun, 1 Oct 2017 11:10:22 +1100 X-RG-Spam: Unknown X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.9.30.233316:17:7.944, ip=, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __HAS_MSGID, __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __ANY_URI, __URI_NO_MAILTO, __URI_NO_WWW, __NO_HTML_TAG_RAW, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_2000_2999, __MIME_TEXT_P1, __MIME_TEXT_ONLY, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, __TO_REAL_NAMES, __MIME_TEXT_P, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.16-1) id 59CAA1C700B2ECB4 for freebsd-pf@freebsd.org; Sun, 1 Oct 2017 11:10:21 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v910AKAq073238 for ; Sun, 1 Oct 2017 11:10:20 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v910AKND073235 for ; Sun, 1 Oct 2017 11:10:20 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sun, 1 Oct 2017 11:10:20 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Rate-limiting in PF Message-ID: User-Agent: Alpine 2.21 (BSF 202 2017-01-01) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Oct 2017 02:11:43 -0000 10.3-RELEASE-p21 I am trying to restrict woodpecker attempts to my mail server (stupid spamware regards rejects and a long banner it as a challenge), and following advice on this list I used the following (the important bit, anyway): # # No more than 10/IP, or 5/m should be plenty. # pass inet proto tcp from any to any port smtp \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 5/60, \ overload flush global) And here is a sample log; I can see that the 10/IP works, but the 5/m does not seem to be blocking the 10s attempts: Oct 1 09:40:44 aneurin sm-mta[73002]: v8UMeZml073002: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:40:55 aneurin sm-mta[73003]: v8UMejQm073003: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:06 aneurin sm-mta[73004]: v8UMeuVT073004: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:17 aneurin sm-mta[73005]: v8UMf6gp073005: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:28 aneurin sm-mta[73006]: v8UMfH58073006: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:40 aneurin sm-mta[73007]: v8UMfTfK073007: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:52 aneurin sm-mta[73008]: v8UMfgXH073008: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:42:03 aneurin sm-mta[73010]: v8UMfrxc073010: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:42:14 aneurin sm-mta[73011]: v8UMg4x4073011: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:42:25 aneurin sm-mta[73012]: v8UMgFNw073012: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 What have I done wrong? Does max-src-conn-rate actually work? -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer." From owner-freebsd-pf@freebsd.org Sun Oct 1 08:36:08 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4999AE3949B for ; Sun, 1 Oct 2017 08:36:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 38A2C7D977 for ; Sun, 1 Oct 2017 08:36:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v918a5V9090392 for ; Sun, 1 Oct 2017 08:36:08 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 222126] pf is not clearing expired states Date: Sun, 01 Oct 2017 08:36:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: hlh@restart.be X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Oct 2017 08:36:08 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222126 --- Comment #31 from hlh@restart.be --- (In reply to Kristof Provost from comment #27) When the problem occurs, no more line in the dtrace log. Here are the last 20 lines: [root@norquay ~]# tail -n 20 /var/log/pf.dtrace.log-before=20 0 2257 pf_purge_expired_states:entry=20 0 2258 pf_purge_expired_states:return=20 0 2258 pf_purge_expired_states:return=20 0 2257 pf_purge_expired_states:entry=20 0 2258 pf_purge_expired_states:return=20 0 2258 pf_purge_expired_states:return=20 3 2257 pf_purge_expired_states:entry=20 3 2258 pf_purge_expired_states:return=20 3 2258 pf_purge_expired_states:return=20 3 2257 pf_purge_expired_states:entry=20 3 2258 pf_purge_expired_states:return=20 3 2258 pf_purge_expired_states:return=20 3 2257 pf_purge_expired_states:entry=20 3 2258 pf_purge_expired_states:return=20 3 2258 pf_purge_expired_states:return=20 1 2257 pf_purge_expired_states:entry=20 1 2258 pf_purge_expired_states:return=20 1 2258 pf_purge_expired_states:return=20 then I run: [root@norquay ~]# echo "set timeout interval 5" | pfctl -mf - And the dtrace log resume; the first 20 lines are: [root@norquay ~]# head -n 20 /var/log/pf.dtrace.log CPU ID FUNCTION:NAME 1 2257 pf_purge_expired_states:entry=20 1 2258 pf_purge_expired_states:return=20 1 2258 pf_purge_expired_states:return=20 0 2257 pf_purge_expired_states:entry=20 0 2258 pf_purge_expired_states:return=20 0 2258 pf_purge_expired_states:return=20 0 2257 pf_purge_expired_states:entry=20 0 2258 pf_purge_expired_states:return=20 0 2258 pf_purge_expired_states:return=20 0 2257 pf_purge_expired_states:entry=20 0 2258 pf_purge_expired_states:return=20 0 2258 pf_purge_expired_states:return=20 0 2257 pf_purge_expired_states:entry=20 0 2258 pf_purge_expired_states:return=20 0 2258 pf_purge_expired_states:return=20 0 2257 pf_purge_expired_states:entry=20 0 2258 pf_purge_expired_states:return=20 0 2258 pf_purge_expired_states:return=20 0 2258 pf_purge_expired_states:return=20 PS I have the 2 log files and we can go back more then 20 lines. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Oct 1 15:39:15 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C537E27ADD for ; Sun, 1 Oct 2017 15:39:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1951964297 for ; Sun, 1 Oct 2017 15:39:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v91FdEAL014440 for ; Sun, 1 Oct 2017 15:39:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 222126] pf is not clearing expired states Date: Sun, 01 Oct 2017 15:39:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Oct 2017 15:39:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222126 --- Comment #32 from Kristof Provost --- (In reply to hlh from comment #31) It's a little odd that you're seeing double pf_purge_expired_states:return entries. Any chance you've got two such probes in your dtrace script? Anyway, let's stick a couple of static probes in and see what's going on: diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 8613a161f0a..f8244a6ef6e 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -105,6 +106,14 @@ __FBSDID("$FreeBSD$"); #define DPFPRINTF(n, x) if (V_pf_status.debug >=3D (n)) printf x +/* DTrace static probes */ +SDT_PROVIDER_DEFINE(pf); + +SDT_PROBE_DEFINE(pf, purge, thread, wakeup); +SDT_PROBE_DEFINE2(pf, purge, , expired_states, + "unsigned int", + "int"); + /* * Global variables */ @@ -1434,6 +1443,7 @@ pf_purge_thread(void *unused __unused) sx_xlock(&pf_end_lock); while (pf_end_threads =3D=3D 0) { sx_sleep(pf_purge_thread, &pf_end_lock, 0, "pftm", hz / 10); + SDT_PROBE0(pf, purge, thread, wakeup); VNET_LIST_RLOCK(); VNET_FOREACH(vnet_iter) { @@ -1680,6 +1690,8 @@ pf_purge_expired_states(u_int i, int maxcheck) V_pf_status.states =3D uma_zone_get_cur(V_pf_state_z); + SDT_PROBE2(pf, purge, , expired_states, i, maxcheck); + /* * Go through hash and unlink states that expire now. */ You can trace those with: #!/usr/sbin/dtrace -s pf:purge:thread:wakeup { } pf:purge::expired_states { printf("i %d maxentry %d %d", arg0, arg1, arg2); } Hopefully we'll get a clue as to what's going on with this. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Oct 2 06:10:32 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF49EE37278 for ; Mon, 2 Oct 2017 06:10:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BC7CD805B6 for ; Mon, 2 Oct 2017 06:10:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v926AWJA048810 for ; Mon, 2 Oct 2017 06:10:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 222126] pf is not clearing expired states Date: Mon, 02 Oct 2017 06:10:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: hlh@restart.be X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Oct 2017 06:10:32 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222126 --- Comment #33 from hlh@restart.be --- (In reply to Kristof Provost from comment #32) Here is the dtrace script used: #!/usr/sbin/dtrace -s fbt:kernel:pf_purge_expired_states:entry { } fbt:kernel:pf_purge_expired_states:return { } fbt:kernel:pf_purge_expired_fragments:entry { } fbt:kernel:pf_purge_thread:entry { } I'm doing the changes you ask. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Oct 2 10:06:50 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CCFCE3B744 for ; Mon, 2 Oct 2017 10:06:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 769A527F9 for ; Mon, 2 Oct 2017 10:06:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v92A6oAM088432 for ; Mon, 2 Oct 2017 10:06:50 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 222126] pf is not clearing expired states Date: Mon, 02 Oct 2017 10:06:50 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: hlh@restart.be X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Oct 2017 10:06:50 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222126 --- Comment #34 from hlh@restart.be --- (In reply to Kristof Provost from comment #32) I check the troubling number of return: [root@norquay log]# grep entry pf.dtrace1.log-before |wc -l 2026647 [root@norquay log]# grep return pf.dtrace1.log-before |wc -l 4021723 [root@norquay log]# bc 2026647*2 4053294 4053294-4021723 31571 Really strange! --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Oct 4 23:00:13 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E9FAE0DF84 for ; Wed, 4 Oct 2017 23:00:13 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta04p.bpe.bigpond.com (viclamta04p.bpe.bigpond.com [203.38.21.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 312577589B for ; Wed, 4 Oct 2017 23:00:09 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep18p-svc.bpe.nexus.telstra.com.au with ESMTP id <20171004220233.KXEU11443.viclafep18p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Thu, 5 Oct 2017 09:02:33 +1100 X-RG-Spam: Unknown X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.10.4.214816:17:7.944, ip=, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __IN_REP_TO, __HAS_MSGID, __SANE_MSGID, __REFERENCES, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __ANY_URI, __URI_NO_MAILTO, __URI_NO_WWW, __SUBJ_ALPHA_NEGATE, __FORWARDED_MSG, __NO_HTML_TAG_RAW, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_2000_2999, __MIME_TEXT_P1, __MIME_TEXT_ONLY, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, IN_REP_TO, MSG_THREAD, __TO_REAL_NAMES, LEGITIMATE_SIGNS, __MIME_TEXT_P, REFERENCES, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.16-1) id 59CAA1C7014FD155 for freebsd-pf@freebsd.org; Thu, 5 Oct 2017 09:02:32 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v94M2VeI094187 for ; Thu, 5 Oct 2017 09:02:31 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v94M2V1m094184 for ; Thu, 5 Oct 2017 09:02:31 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Thu, 5 Oct 2017 09:02:31 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Rate-limiting in PF In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (BSF 202 2017-01-01) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Oct 2017 23:00:13 -0000 On Sun, 1 Oct 2017, Dave Horsfall wrote: > 10.3-RELEASE-p21 > > I am trying to restrict woodpecker attempts to my mail server (stupid > spamware regards rejects and a long banner it as a challenge), and > following advice on this list I used the following (the important bit, > anyway): > > # > # No more than 10/IP, or 5/m should be plenty. > # > pass inet proto tcp from any to any port smtp \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 5/60, \ > overload flush global) The max-src-conn-rate does not work according to the sample that I posted, and now I am having severe doubts about max-src-conn after all: Oct 4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 [...] Oct 4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 There were 498 in all. So, does the rate-limiting work and I am doing something wrong, or does it not work but is documented, and thus is vapourware? -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer." From owner-freebsd-pf@freebsd.org Wed Oct 4 23:56:02 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9382E24120 for ; Wed, 4 Oct 2017 23:56:02 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from vm.unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 9AE04772C2 for ; Wed, 4 Oct 2017 23:56:02 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from [192.168.1.4] (vhoffman.plus.com [81.174.148.213]) by vm.unsane.co.uk (Postfix) with ESMTPSA id 5F417303A0 for ; Thu, 5 Oct 2017 00:56:01 +0100 (BST) Subject: Re: Rate-limiting in PF To: freebsd-pf@freebsd.org References: From: Vincent Hoffman-Kazlauskas Message-ID: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> Date: Thu, 5 Oct 2017 00:56:00 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Oct 2017 23:56:02 -0000 On 04/10/2017 23:02, Dave Horsfall wrote: > On Sun, 1 Oct 2017, Dave Horsfall wrote: > >> 10.3-RELEASE-p21 >> >> I am trying to restrict woodpecker attempts to my mail server (stupid >> spamware regards rejects and a long banner it as a challenge), and >> following advice on this list I used the following (the important bit, >> anyway): >> >>    # >>    # No more than 10/IP, or 5/m should be plenty. >>    # >>    pass inet proto tcp from any to any port smtp \ >>     flags S/SA keep state \ >>     (max-src-conn 10, max-src-conn-rate 5/60, \ >>     overload flush global) > > The max-src-conn-rate does not work according to the sample that I > posted, and now I am having severe doubts about max-src-conn after all: > > Oct  4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > > [...] > > Oct  4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > > There were 498 in all.  So, does the rate-limiting work and I am doing > something wrong, or does it not work but is documented, and thus is > vapourware? > I'm a bit out of practice but IIRC what your rule does is if an ip hits those limits then add the ip to the woodpeckers table ie classification not policing. What rules do you have that act on that table? ie do you have a block rule like block drop quick from to any? is anything added to the table (pfctl -t woodpeckers -T show) If there is dont forget to expire them after a while unless you want them permanently banned, a cron with something like "pfctl -t woodpeckers -T expire 3600" iirc Vince From owner-freebsd-pf@freebsd.org Thu Oct 5 00:25:33 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C55CE24D88 for ; Thu, 5 Oct 2017 00:25:33 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta10p.bpe.bigpond.com (viclamta10p.bpe.bigpond.com [203.38.21.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6F9DA77D73 for ; Thu, 5 Oct 2017 00:25:29 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep10p-svc.bpe.nexus.telstra.com.au with ESMTP id <20171005002517.UEGI20093.viclafep10p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Thu, 5 Oct 2017 11:25:17 +1100 X-RG-Spam: Unknown X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.10.4.234815:17:7.944, ip=, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __IN_REP_TO, __HAS_MSGID, __SANE_MSGID, __REFERENCES, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __FRAUD_MONEY_CURRENCY_DOLLAR, __SUBJ_ALPHA_NEGATE, __FORWARDED_MSG, __NO_HTML_TAG_RAW, BODY_SIZE_1100_1199, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_P1, __MIME_TEXT_ONLY, HTML_00_01, HTML_00_10, __FRAUD_MONEY_CURRENCY, BODY_SIZE_5000_LESS, IN_REP_TO, MSG_THREAD, __TO_REAL_NAMES, LEGITIMATE_SIGNS, NO_URI_FOUND, NO_CTA_URI_FOUND, BODY_SIZE_2000_LESS, __MIME_TEXT_P, REFERENCES, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.16-1) id 59CAA2DA01545544 for freebsd-pf@freebsd.org; Thu, 5 Oct 2017 11:25:16 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v950PFLY094745 for ; Thu, 5 Oct 2017 11:25:15 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v950PFPs094742 for ; Thu, 5 Oct 2017 11:25:15 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Thu, 5 Oct 2017 11:25:14 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Rate-limiting in PF In-Reply-To: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> Message-ID: References: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> User-Agent: Alpine 2.21 (BSF 202 2017-01-01) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2017 00:25:33 -0000 On Thu, 5 Oct 2017, Vincent Hoffman-Kazlauskas wrote: > What rules do you have that act on that table? ie do you have a block > rule like > > block drop quick from to any? Ah; I forgot to show that bit: # block in log quick on $ext_if from block in quick on $ext_if from The "drop" is implied, AFAIK. > is anything added to the table (pfctl -t woodpeckers -T show) I have lots of them because I've been adding them by hand, but this time I'll hold back and observe, just to be sure. > If there is dont forget to expire them after a while unless you want > them permanently banned, a cron with something like "pfctl -t > woodpeckers -T expire 3600" iirc I never expire spammers; I'd prefer that they expired instead :-) Once a Pee-Cee has been 0wn3d, it tends to stay that way because the former owner is too stupid to realise it. After all, there are two sorts of Windoze boxes: those that are compromised, and those that soon will be... -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer." From owner-freebsd-pf@freebsd.org Thu Oct 5 04:43:41 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 56A83E2C587 for ; Thu, 5 Oct 2017 04:43:41 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 17A6683620 for ; Thu, 5 Oct 2017 04:43:40 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87 (FreeBSD)) (envelope-from ) id 1dzxQs-000FcB-VV for freebsd-pf@freebsd.org; Thu, 05 Oct 2017 07:06:46 +0300 Subject: Re: Rate-limiting in PF To: freebsd-pf@freebsd.org References: From: Max Message-ID: Date: Thu, 5 Oct 2017 07:06:46 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2017 04:43:41 -0000 I think, it is exactly 5 connections per 60 seconds. What does "pfctl -sS | grep 114.100.182.206" show? 05.10.2017 1:02, Dave Horsfall пишет: > On Sun, 1 Oct 2017, Dave Horsfall wrote: > >> 10.3-RELEASE-p21 >> >> I am trying to restrict woodpecker attempts to my mail server (stupid >> spamware regards rejects and a long banner it as a challenge), and >> following advice on this list I used the following (the important >> bit, anyway): >> >>    # >>    # No more than 10/IP, or 5/m should be plenty. >>    # >>    pass inet proto tcp from any to any port smtp \ >>     flags S/SA keep state \ >>     (max-src-conn 10, max-src-conn-rate 5/60, \ >>     overload flush global) > > The max-src-conn-rate does not work according to the sample that I > posted, and now I am having severe doubts about max-src-conn after all: > > Oct  4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > > [...] > > Oct  4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > > There were 498 in all.  So, does the rate-limiting work and I am doing > something wrong, or does it not work but is documented, and thus is > vapourware? > From owner-freebsd-pf@freebsd.org Sat Oct 7 06:08:29 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8041DE2EEFF for ; Sat, 7 Oct 2017 06:08:29 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta18p.bpe.bigpond.com (viclamta18p.bpe.bigpond.com [203.38.21.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B5C0839F3 for ; Sat, 7 Oct 2017 06:08:26 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep28p-svc.bpe.nexus.telstra.com.au with ESMTP id <20171007055111.NKPL25234.viclafep28p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Sat, 7 Oct 2017 16:51:11 +1100 X-RG-Spam: Unknown X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.10.7.44816:17:7.944, ip=, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __IN_REP_TO, __HAS_MSGID, __SANE_MSGID, __REFERENCES, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __ANY_URI, __URI_NO_MAILTO, __URI_NO_WWW, __SUBJ_ALPHA_NEGATE, __FORWARDED_MSG, __NO_HTML_TAG_RAW, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_2000_2999, __MIME_TEXT_P1, __MIME_TEXT_ONLY, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, IN_REP_TO, MSG_THREAD, __TO_REAL_NAMES, LEGITIMATE_SIGNS, __MIME_TEXT_P, REFERENCES, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.16-1) id 59D67FC900357623 for freebsd-pf@freebsd.org; Sat, 7 Oct 2017 16:51:11 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v975p9gR007161 for ; Sat, 7 Oct 2017 16:51:09 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v975p8Rp007158 for ; Sat, 7 Oct 2017 16:51:09 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sat, 7 Oct 2017 16:51:08 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Rate-limiting in PF In-Reply-To: Message-ID: References: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> User-Agent: Alpine 2.21 (BSF 202 2017-01-01) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Oct 2017 06:08:29 -0000 On Thu, 5 Oct 2017, Dave Horsfall wrote: >> is anything added to the table (pfctl -t woodpeckers -T show) > > I have lots of them because I've been adding them by hand, but this time > I'll hold back and observe, just to be sure. No, they are not being added; here's an extract from the mail log: Oct 7 15:21:28 aneurin sm-mta[6908]: v974LI1n006908: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:21:48 aneurin sm-mta[6909]: v974Lcwj006909: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:21:59 aneurin sm-mta[6910]: v974LnTe006910: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:13 aneurin sm-mta[6923]: v974M2QU006923: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:24 aneurin sm-mta[6924]: v974MGKm006924: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:35 aneurin sm-mta[6925]: v974MOQW006925: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:45 aneurin sm-mta[6926]: v974MZOZ006926: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:56 aneurin sm-mta[6927]: v974MkO2006927: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:23:07 aneurin sm-mta[6928]: v974MvjQ006928: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:23:18 aneurin sm-mta[6930]: v974N7c3006930: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:23:38 aneurin sm-mta[6931]: v974NRZM006931: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:23:49 aneurin sm-mta[6932]: v974NcYF006932: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 "pfctl -t woodpeckers -T show | grep 37.49.224.104" is empty. But wait... It looks for all the world like they are deliberately stopping after 5/m without getting blocked, waiting a bit, then starting up again... Either that, or the block is not "sticking" for some reason. Hence my question: can anyone state unequivocally that the rate limiting does indeed work (pref. with proof) and that I am doing something subtly wrong, and if so what is it? In the meantime, I've enabled logging on the rate-limited packets, to see if that sheds a little more light. If/when confirmed as a PF bug I'll report it accordingly, as I prefer to eliminate my own stupidity first :-) -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer." From owner-freebsd-pf@freebsd.org Sat Oct 7 06:31:16 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E57DDE2F502 for ; Sat, 7 Oct 2017 06:31:16 +0000 (UTC) (envelope-from srs0=vg6b=bg=mail.sermon-archive.info=doug@sermon-archive.info) Received: from mail.sermon-archive.info (sermon-archive.info [71.177.216.148]) by mx1.freebsd.org (Postfix) with ESMTP id CEE968452D for ; Sat, 7 Oct 2017 06:31:16 +0000 (UTC) (envelope-from srs0=vg6b=bg=mail.sermon-archive.info=doug@sermon-archive.info) Received: from [10.0.1.251] (mini [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id 3y8GqL21nDz2fjwH; Fri, 6 Oct 2017 23:31:10 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Rate-limiting in PF From: Doug Hardie In-Reply-To: Date: Fri, 6 Oct 2017 23:31:09 -0700 Cc: FreeBSD PF List Content-Transfer-Encoding: quoted-printable Message-Id: References: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> To: Dave Horsfall X-Mailer: Apple Mail (2.3273) X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Oct 2017 06:31:17 -0000 > On 6 October 2017, at 22:51, Dave Horsfall wrote: >=20 > On Thu, 5 Oct 2017, Dave Horsfall wrote: >=20 >>> is anything added to the table (pfctl -t woodpeckers -T show) >>=20 >> I have lots of them because I've been adding them by hand, but this = time I'll hold back and observe, just to be sure. >=20 > No, they are not being added; here's an extract from the mail log: >=20 > Oct 7 15:21:28 aneurin sm-mta[6908]: v974LI1n006908: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:21:48 aneurin sm-mta[6909]: v974Lcwj006909: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:21:59 aneurin sm-mta[6910]: v974LnTe006910: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:22:13 aneurin sm-mta[6923]: v974M2QU006923: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:22:24 aneurin sm-mta[6924]: v974MGKm006924: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:22:35 aneurin sm-mta[6925]: v974MOQW006925: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:22:45 aneurin sm-mta[6926]: v974MZOZ006926: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:22:56 aneurin sm-mta[6927]: v974MkO2006927: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:23:07 aneurin sm-mta[6928]: v974MvjQ006928: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:23:18 aneurin sm-mta[6930]: v974N7c3006930: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:23:38 aneurin sm-mta[6931]: v974NRZM006931: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct 7 15:23:49 aneurin sm-mta[6932]: v974NcYF006932: [37.49.224.104] = did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 >=20 > "pfctl -t woodpeckers -T show | grep 37.49.224.104" is empty. >=20 > But wait... >=20 > It looks for all the world like they are deliberately stopping after = 5/m without getting blocked, waiting a bit, then starting up again... = Either that, or the block is not "sticking" for some reason. >=20 > Hence my question: can anyone state unequivocally that the rate = limiting does indeed work (pref. with proof) and that I am doing = something subtly wrong, and if so what is it? >=20 > In the meantime, I've enabled logging on the rate-limited packets, to = see if that sheds a little more light. >=20 > If/when confirmed as a PF bug I'll report it accordingly, as I prefer = to eliminate my own stupidity first :-) mail# pfctl -Ts -twoodpeckers 54.218.78.120 64.142.105.165 67.231.156.214 74.208.165.59 117.92.178.86 117.92.197.203 169.232.46.186 223.130.19.71 223.240.208.137 Using the last entry as it was undoubtedly entered today: mail# grep 223.240.208.137 maillog | grep " CONNECT" Oct 6 22:22:06 mail postfix/postscreen[6784]: CONNECT from = [223.240.208.137]:3583 to [10.0.1.230]:25 Oct 6 22:22:08 mail postfix/postscreen[6784]: CONNECT from = [223.240.208.137]:2623 to [10.0.1.230]:25 Oct 6 22:22:36 mail postfix/postscreen[6784]: CONNECT from = [223.240.208.137]:1571 to [10.0.1.230]:25 Oct 6 22:22:39 mail postfix/postscreen[6784]: CONNECT from = [223.240.208.137]:1154 to [10.0.1.230]:25 Oct 6 22:22:42 mail postfix/postscreen[6784]: CONNECT from = [223.240.208.137]:4433 to [10.0.1.230]:25 Oct 6 22:22:45 mail postfix/postscreen[6784]: CONNECT from = [223.240.208.137]:1485 to [10.0.1.230]:25 mail# tcpdump -r pflog -ve host 223.240.208.137 reading from file pflog, link-type PFLOG (OpenBSD pflog file) 22:22:51.546323 rule 2/0(match): block in on bge0: (tos 0x0, ttl 112, id = 14786, offset 0, flags [none], proto TCP (6), length 40) 223.240.208.137.4737 > mail.smtp: Flags [.], cksum 0x35b0 (correct), = ack 2194297633, win 65535, length 0 22:22:54.554098 rule 2/0(match): block in on bge0: (tos 0x0, ttl 112, id = 53710, offset 0, flags [none], proto TCP (6), length 40) 223.240.208.137.4737 > mail.smtp: Flags [.], cksum 0x35b0 (correct), = ack 1, win 65535, length 0 22:22:57.636227 rule 2/0(match): block in on bge0: (tos 0x0, ttl 112, id = 30650, offset 0, flags [none], proto TCP (6), length 40) 223.240.208.137.4737 > mail.smtp: Flags [.], cksum 0x35b0 (correct), = ack 1, win 65535, length 0 The way I read this is that 223.240.208.137 tried 6 times in less than = one minute. It was added to woodpeckers around 22:22:45. The next = connection was after that at 22:22:51 and it was blocked by pf rule 2 = which is: block drop in log quick on bge0 from to any Rule 3 is: pass in inet proto tcp from any to any port =3D smtp flags S/SA keep = state (source-track rule, max-src-conn 10, max-src-conn-rate 5/60, = overload flush global, src.track 60) This is on FreeBSD 11.1. -- Doug