From owner-freebsd-pf@freebsd.org  Mon Oct  9 04:28:51 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0E9EE248F3
 for <freebsd-pf@mailman.ysv.freebsd.org>; Mon,  9 Oct 2017 04:28:51 +0000 (UTC)
 (envelope-from maximos@als.nnov.ru)
Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 080276942B
 for <freebsd-pf@freebsd.org>; Mon,  9 Oct 2017 04:28:49 +0000 (UTC)
 (envelope-from maximos@als.nnov.ru)
Received: from [10.4.1.100]
 by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
 (Exim 4.87 (FreeBSD)) (envelope-from <maximos@als.nnov.ru>)
 id 1e1PgG-0008YZ-G8
 for freebsd-pf@freebsd.org; Mon, 09 Oct 2017 07:28:40 +0300
Subject: Re: Rate-limiting in PF
To: freebsd-pf@freebsd.org
References: <alpine.BSF.2.21.1710010949380.73049@aneurin.horsfall.org>
 <alpine.BSF.2.21.1710050853400.73049@aneurin.horsfall.org>
 <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk>
 <alpine.BSF.2.21.1710051116480.73049@aneurin.horsfall.org>
 <alpine.BSF.2.21.1710071632520.876@aneurin.horsfall.org>
From: Max <maximos@als.nnov.ru>
Message-ID: <59de19ca-1b40-2397-6de3-59ded5ef28fa@als.nnov.ru>
Date: Mon, 9 Oct 2017 07:28:40 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.21.1710071632520.876@aneurin.horsfall.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: ru
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 04:28:51 -0000

man pf.conf:

      For example, the following    rules will protect the webserver 
against hosts
      making more than 100 connections in 10 seconds.  Any host *which 
connects
      faster than this rate* will    have its address added to the 
<bad_hosts> ta-
      ble and have all states originating from it flushed.  Any new packets
      arriving from this    host will be dropped unconditionally by    
the block
      rule.

        block quick from <bad_hosts>
        pass    in on $ext_if proto tcp    to $webserver port www keep 
state \
            (max-src-conn-rate 100/10, overload <bad_hosts> flush global)


Check the output of "pfctl -sS".


07.10.2017 8:51, Dave Horsfall пишет:
> On Thu, 5 Oct 2017, Dave Horsfall wrote:
>
>>> is anything added to the table (pfctl -t woodpeckers -T show)
>>
>> I have lots of them because I've been adding them by hand, but this 
>> time I'll hold back and observe, just to be sure.
>
> No, they are not being added; here's an extract from the mail log:
>
> Oct  7 15:21:28 aneurin sm-mta[6908]: v974LI1n006908: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:21:48 aneurin sm-mta[6909]: v974Lcwj006909: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:21:59 aneurin sm-mta[6910]: v974LnTe006910: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:22:13 aneurin sm-mta[6923]: v974M2QU006923: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:22:24 aneurin sm-mta[6924]: v974MGKm006924: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:22:35 aneurin sm-mta[6925]: v974MOQW006925: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:22:45 aneurin sm-mta[6926]: v974MZOZ006926: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:22:56 aneurin sm-mta[6927]: v974MkO2006927: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:23:07 aneurin sm-mta[6928]: v974MvjQ006928: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:23:18 aneurin sm-mta[6930]: v974N7c3006930: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:23:38 aneurin sm-mta[6931]: v974NRZM006931: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
> Oct  7 15:23:49 aneurin sm-mta[6932]: v974NcYF006932: [37.49.224.104] 
> did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
>
> "pfctl -t woodpeckers -T show | grep 37.49.224.104" is empty.
>
> But wait...
>
> It looks for all the world like they are deliberately stopping after 
> 5/m without getting blocked, waiting a bit, then starting up again...  
> Either that, or the block is not "sticking" for some reason.
>
> Hence my question: can anyone state unequivocally that the rate 
> limiting does indeed work (pref. with proof) and that I am doing 
> something subtly wrong, and if so what is it?
>
> In the meantime, I've enabled logging on the rate-limited packets, to 
> see if that sheds a little more light.
>
> If/when confirmed as a PF bug I'll report it accordingly, as I prefer 
> to eliminate my own stupidity first :-)
>