From owner-freebsd-pf@freebsd.org Sat Apr 1 00:04:21 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43B96D276D2 for ; Sat, 1 Apr 2017 00:04:21 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0C215A55 for ; Sat, 1 Apr 2017 00:04:21 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.89 (FreeBSD)) (envelope-from ) id 1cu6Wf-0006Gz-Vk; Sat, 01 Apr 2017 01:04:18 +0100 Date: Sat, 1 Apr 2017 01:04:17 +0100 From: Gary Palmer To: Dave Horsfall Cc: FreeBSD PF List Subject: Re: Getting auto-block to work Message-ID: <20170401000417.GC32477@in-addr.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 00:04:21 -0000 On Sat, Apr 01, 2017 at 08:29:41AM +1100, Dave Horsfall wrote: > Does anyone have a PF rule that actually blocks woodpeckers? I have this > rule: > > pass inet proto tcp from any to any port smtp \ > flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 2/20, \ > overload flush global) > > I understand that as being no more than twice in twenty seconds (which is > amply generous by my reading of the RFC), but it's not working; for > example, the latest problem-child is: > > Date: Mar 31 00:04:10 (v2UD3uT2070289) > from= > relay=server1.manualpratico.info [186.251.128.25] > reject=450 4.7.1 ... I greylist .info > > Date: Mar 31 00:14:25 (v2UDEBaT070308) > from= > relay=server1.manualpratico.info [186.251.128.25] > reject=450 4.7.1 ... I greylist .info > > continuing every 15 seconds (and I've seen much worse) which I have > manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't > PF supposed to do that for me? > > (And yes, Sendmail also has this non-working "feature", but that's OT.) Are you sure those are new connections and that the remote side isn't just doing RSET and trying again on the same connection? If it's not making new connections, PF won't pick it up Regards, Gary