Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 1 Apr 2017 01:20:31 +0200
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        Dave Horsfall <dave@horsfall.org>, FreeBSD PF List <freebsd-pf@freebsd.org>
Subject:   Re: Getting auto-block to work
Message-ID:  <58DEE43F.9070807@quip.cz>
In-Reply-To: <alpine.BSF.2.20.1704010808150.81763@aneurin.horsfall.org>
References:  <alpine.BSF.2.20.1704010808150.81763@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Dave Horsfall wrote on 2017/03/31 23:29:
> Does anyone have a PF rule that actually blocks woodpeckers?  I have this
> rule:
>
>      pass inet proto tcp from any to any port smtp \
> 	flags S/SA keep state \
> 	(max-src-conn 10, max-src-conn-rate 2/20, \
> 	overload <woodpeckers> flush global)
>
> I understand that as being no more than twice in twenty seconds (which is
> amply generous by my reading of the RFC), but it's not working; for
> example, the latest problem-child is:
>
>      Date: Mar 31 00:04:10 (v2UD3uT2070289)
>      from=<return@manualpratico.info>
>      relay=server1.manualpratico.info [186.251.128.25]
>      reject=450 4.7.1 <dave@horsfall.org>... I greylist .info
>
>      Date: Mar 31 00:14:25 (v2UDEBaT070308)
>      from=<return@manualpratico.info>
>      relay=server1.manualpratico.info [186.251.128.25]
>      reject=450 4.7.1 <dave@horsfall.org>... I greylist .info
>
> continuing every 15 seconds (and I've seen much worse) which I have
> manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't
> PF supposed to do that for me?
>
> (And yes, Sendmail also has this non-working "feature", but that's OT.)

Are you sure that each delivery attempt is separate TCP connection? SMTP 
allows many messages in one opened session.

I am using this for blocking SSH attacks

block drop in quick from <ssh_bruteforce> to any

pass in log on $ext_if proto tcp from any to { $ext_addr, $jail_addr } 
port $ext_ssh flags S/SA keep state \
         (max-src-conn 6, max-src-conn-rate 6/60, overload 
<ssh_bruteforce> flush global)

Miroslav Lachman

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58DEE43F.9070807>