From owner-freebsd-pf@freebsd.org Sun Oct 1 02:11:43 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52920E34503 for ; Sun, 1 Oct 2017 02:11:43 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta25p.bpe.bigpond.com (viclamta25p.bpe.bigpond.com [203.38.21.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4930F3807 for ; Sun, 1 Oct 2017 02:11:39 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep10p-svc.bpe.nexus.telstra.com.au with ESMTP id <20171001001022.ZVPG20093.viclafep10p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Sun, 1 Oct 2017 11:10:22 +1100 X-RG-Spam: Unknown X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.9.30.233316:17:7.944, ip=, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __HAS_MSGID, __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __ANY_URI, __URI_NO_MAILTO, __URI_NO_WWW, __NO_HTML_TAG_RAW, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_2000_2999, __MIME_TEXT_P1, __MIME_TEXT_ONLY, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, __TO_REAL_NAMES, __MIME_TEXT_P, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.16-1) id 59CAA1C700B2ECB4 for freebsd-pf@freebsd.org; Sun, 1 Oct 2017 11:10:21 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v910AKAq073238 for ; Sun, 1 Oct 2017 11:10:20 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v910AKND073235 for ; Sun, 1 Oct 2017 11:10:20 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sun, 1 Oct 2017 11:10:20 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Rate-limiting in PF Message-ID: User-Agent: Alpine 2.21 (BSF 202 2017-01-01) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Oct 2017 02:11:43 -0000 10.3-RELEASE-p21 I am trying to restrict woodpecker attempts to my mail server (stupid spamware regards rejects and a long banner it as a challenge), and following advice on this list I used the following (the important bit, anyway): # # No more than 10/IP, or 5/m should be plenty. # pass inet proto tcp from any to any port smtp \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 5/60, \ overload flush global) And here is a sample log; I can see that the 10/IP works, but the 5/m does not seem to be blocking the 10s attempts: Oct 1 09:40:44 aneurin sm-mta[73002]: v8UMeZml073002: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:40:55 aneurin sm-mta[73003]: v8UMejQm073003: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:06 aneurin sm-mta[73004]: v8UMeuVT073004: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:17 aneurin sm-mta[73005]: v8UMf6gp073005: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:28 aneurin sm-mta[73006]: v8UMfH58073006: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:40 aneurin sm-mta[73007]: v8UMfTfK073007: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:41:52 aneurin sm-mta[73008]: v8UMfgXH073008: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:42:03 aneurin sm-mta[73010]: v8UMfrxc073010: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:42:14 aneurin sm-mta[73011]: v8UMg4x4073011: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 1 09:42:25 aneurin sm-mta[73012]: v8UMgFNw073012: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 What have I done wrong? Does max-src-conn-rate actually work? -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."