From owner-freebsd-pf@freebsd.org Mon Oct 9 04:28:51 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0E9EE248F3 for ; Mon, 9 Oct 2017 04:28:51 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 080276942B for ; Mon, 9 Oct 2017 04:28:49 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87 (FreeBSD)) (envelope-from ) id 1e1PgG-0008YZ-G8 for freebsd-pf@freebsd.org; Mon, 09 Oct 2017 07:28:40 +0300 Subject: Re: Rate-limiting in PF To: freebsd-pf@freebsd.org References: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> From: Max Message-ID: <59de19ca-1b40-2397-6de3-59ded5ef28fa@als.nnov.ru> Date: Mon, 9 Oct 2017 07:28:40 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: ru X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2017 04:28:51 -0000 man pf.conf:      For example, the following    rules will protect the webserver against hosts      making more than 100 connections in 10 seconds.  Any host *which connects      faster than this rate* will    have its address added to the ta-      ble and have all states originating from it flushed.  Any new packets      arriving from this    host will be dropped unconditionally by    the block      rule.        block quick from        pass    in on $ext_if proto tcp    to $webserver port www keep state \            (max-src-conn-rate 100/10, overload flush global) Check the output of "pfctl -sS". 07.10.2017 8:51, Dave Horsfall пишет: > On Thu, 5 Oct 2017, Dave Horsfall wrote: > >>> is anything added to the table (pfctl -t woodpeckers -T show) >> >> I have lots of them because I've been adding them by hand, but this >> time I'll hold back and observe, just to be sure. > > No, they are not being added; here's an extract from the mail log: > > Oct  7 15:21:28 aneurin sm-mta[6908]: v974LI1n006908: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:21:48 aneurin sm-mta[6909]: v974Lcwj006909: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:21:59 aneurin sm-mta[6910]: v974LnTe006910: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:22:13 aneurin sm-mta[6923]: v974M2QU006923: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:22:24 aneurin sm-mta[6924]: v974MGKm006924: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:22:35 aneurin sm-mta[6925]: v974MOQW006925: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:22:45 aneurin sm-mta[6926]: v974MZOZ006926: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:22:56 aneurin sm-mta[6927]: v974MkO2006927: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:23:07 aneurin sm-mta[6928]: v974MvjQ006928: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:23:18 aneurin sm-mta[6930]: v974N7c3006930: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:23:38 aneurin sm-mta[6931]: v974NRZM006931: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  7 15:23:49 aneurin sm-mta[6932]: v974NcYF006932: [37.49.224.104] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > > "pfctl -t woodpeckers -T show | grep 37.49.224.104" is empty. > > But wait... > > It looks for all the world like they are deliberately stopping after > 5/m without getting blocked, waiting a bit, then starting up again...  > Either that, or the block is not "sticking" for some reason. > > Hence my question: can anyone state unequivocally that the rate > limiting does indeed work (pref. with proof) and that I am doing > something subtly wrong, and if so what is it? > > In the meantime, I've enabled logging on the rate-limited packets, to > see if that sheds a little more light. > > If/when confirmed as a PF bug I'll report it accordingly, as I prefer > to eliminate my own stupidity first :-) > From owner-freebsd-pf@freebsd.org Tue Oct 10 16:11:23 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E457EE36275 for ; Tue, 10 Oct 2017 16:11:23 +0000 (UTC) (envelope-from list+org.freebsd.pf@io7m.com) Received: from mail.io7m.com (mail.io7m.com [IPv6:2001:19f0:5:752:f000::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.io7m.com", Issuer "arc7 CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48DEE3026 for ; Tue, 10 Oct 2017 16:11:23 +0000 (UTC) (envelope-from list+org.freebsd.pf@io7m.com) Received: from copperhead.int.arc7.info (cust187-dsl61.idnet.net [212.69.61.187]) by mail.io7m.com (Postfix) with ESMTPSA id 4109983E2 for ; Tue, 10 Oct 2017 16:11:21 +0000 (UTC) Date: Tue, 10 Oct 2017 16:11:23 +0000 From: Mark Raynsford To: freebsd-pf@freebsd.org Subject: Specifying a range of ipv6 addresses? Message-ID: <20171010161123.52808204@copperhead.int.arc7.info> Organization: io7m.com OpenPGP: id=8168DAE22B15D3EDC722C23D0F15B7D06FA80CB8; url=http://io7m.com/pgp/8168_DAE2_2B15_D3ED_C722_C23D_0F15_B7D0_6FA8_0CB8.key MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/nrIbGEaCMrqLm_xZHUWpha."; protocol="application/pgp-signature" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2017 16:11:24 -0000 --Sig_/nrIbGEaCMrqLm_xZHUWpha. Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello. What is the syntax for specifying a range of IPv6 addresses in rules? I want to write rules of the form: pass out log quick on $nic_ppp inet6 proto tcp from 2001:db8:8:10::/64 to any port 80 modulate state But pf appears to treat 2001:db8:8:10::/64 as a single address (I intended it to mean an entire subnet). --=20 Mark Raynsford | http://www.io7m.com --Sig_/nrIbGEaCMrqLm_xZHUWpha. Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEgWja4isV0+3HIsI9DxW30G+oDLgFAlnc8SsACgkQDxW30G+o DLid/w/9G9EM6QQ3/ilLjfz1xSuzK5QIIY9lbFCvjrnfz3CVAyJSdwUbsZguY3LU Nmdv0D3yUzL2TcRvFushl6PbA8qhkRdIBpLX7CH3x6aAi5qw6oclDQ3vNpH5YmmQ T1WBP7+gwD9jqkJ5CDdsF7+4HNYq8/H1V7/uZRqKNgZC+ZqSrOqt0/8eqnnNkQYL eqP297snoPbyB7VyHFOal6DXHIBYuTmKZxfDNy/8PnT3MwhYZqWIdIGG8ui26WLs 2x/nmrgLIHnKYRDv2mYi44cd47ysiXviM5BlrsQsfeQFluwzWV+D6Q9nRDGEslTJ AD8atxTXPsVE8X1NDnsidy+puS7lcAlhVdKCMqOSmKbLl+qlCvWSuDfKhgQ3Zp1n lpF8JDsOFjuBNLm8vQr350p8vufOElTotm9085+mnWAiTtV/7lLsUCNgKd4JuKwq CIqnAv2S8EFc6B0ZXFI2KmyFMjteBmbmAcB8eLZ3S9BEmzUrQQkN+QYoqu9Ej0yt Ze+w7g2qMlceGzzHGVz8sWU0JKCOezRzX5PgAO6lIEa3BZRwYV58DjJ91YKnSLs2 pHdAx1w9B549V+FyVVI4f9JEDvPAAxDGGEHC2Em+0sTZwWu6EAfc9mqOi7DvQz9B dCq3eSr5hhM7Tl88kDIIxKjViC7wS8masraBZ/ICLmRJ10VGrPI= =UwMG -----END PGP SIGNATURE----- --Sig_/nrIbGEaCMrqLm_xZHUWpha.-- From owner-freebsd-pf@freebsd.org Tue Oct 10 16:38:09 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8B87E36DAF for ; Tue, 10 Oct 2017 16:38:09 +0000 (UTC) (envelope-from list+org.freebsd.pf@io7m.com) Received: from mail.io7m.com (mail.io7m.com [IPv6:2001:19f0:5:752:f000::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.io7m.com", Issuer "arc7 CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8A06E63584 for ; Tue, 10 Oct 2017 16:38:09 +0000 (UTC) (envelope-from list+org.freebsd.pf@io7m.com) Received: from copperhead.int.arc7.info (unknown [IPv6:2a02:390:7502:2:0:2:1:0]) by mail.io7m.com (Postfix) with ESMTPSA id 1E77683F8 for ; Tue, 10 Oct 2017 16:38:01 +0000 (UTC) Date: Tue, 10 Oct 2017 16:38:03 +0000 From: Mark Raynsford To: freebsd-pf@freebsd.org Subject: Re: Specifying a range of ipv6 addresses? Message-ID: <20171010163736.7bfd6094@copperhead.int.arc7.info> In-Reply-To: <20171010161123.52808204@copperhead.int.arc7.info> References: <20171010161123.52808204@copperhead.int.arc7.info> Organization: io7m.com OpenPGP: id=8168DAE22B15D3EDC722C23D0F15B7D06FA80CB8; url=http://io7m.com/pgp/8168_DAE2_2B15_D3ED_C722_C23D_0F15_B7D0_6FA8_0CB8.key MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2017 16:38:09 -0000 On 2017-10-10T16:11:23 +0000 Mark Raynsford wrote: > Hello. > > What is the syntax for specifying a range of IPv6 addresses in rules? Naturally, I didn't find the answer until I asked the question. The syntax I was looking for is: pass out log quick on $nic_ppp inet6 proto tcp \ from 2001:db8:8:10:: - 2001:db8:8:10:ffff:ffff:ffff:ffff \ to any port 80 modulate state -- Mark Raynsford | http://www.io7m.com From owner-freebsd-pf@freebsd.org Tue Oct 10 16:49:37 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FAF1E37255 for ; Tue, 10 Oct 2017 16:49:37 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4034663B56 for ; Tue, 10 Oct 2017 16:49:36 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v9AGncR4012909 for ; Tue, 10 Oct 2017 09:49:44 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: In-Reply-To: <20171010161123.52808204@copperhead.int.arc7.info> References: <20171010161123.52808204@copperhead.int.arc7.info> From: "Chris H" Subject: Re: Specifying a range of ipv6 addresses? Date: Tue, 10 Oct 2017 09:49:44 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Oct 2017 16:49:37 -0000 On Tue, 10 Oct 2017 16:11:23 +0000 Mark Raynsford wrote > Hello. > > What is the syntax for specifying a range of IPv6 addresses in rules? > > I want to write rules of the form: > > pass out log quick on $nic_ppp inet6 proto tcp from > 2001:db8:8:10::/64 to any port 80 modulate state > > But pf appears to treat 2001:db8:8:10::/64 as a single address (I > intended it to mean an entire subnet). While I am filtering with pf(4), I have to admit I haven't used it to filter IPv6 for awhile. A search for an answer to your question seemed to indicate the following two links may be of help/interest: https://www.freebsd.org/doc/handbook/firewalls-pf.html https://bash.cyberciti.biz/firewall/pf-ipv6-ipv4-firewall-for-freebsd-openbsd-netbsd/ HTH --Chris > > -- > Mark Raynsford | http://www.io7m.com