Date: Sat, 1 Apr 2017 01:04:17 +0100 From: Gary Palmer <gpalmer@freebsd.org> To: Dave Horsfall <dave@horsfall.org> Cc: FreeBSD PF List <freebsd-pf@freebsd.org> Subject: Re: Getting auto-block to work Message-ID: <20170401000417.GC32477@in-addr.com> In-Reply-To: <alpine.BSF.2.20.1704010808150.81763@aneurin.horsfall.org> References: <alpine.BSF.2.20.1704010808150.81763@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 01, 2017 at 08:29:41AM +1100, Dave Horsfall wrote:
> Does anyone have a PF rule that actually blocks woodpeckers? I have this
> rule:
>
> pass inet proto tcp from any to any port smtp \
> flags S/SA keep state \
> (max-src-conn 10, max-src-conn-rate 2/20, \
> overload <woodpeckers> flush global)
>
> I understand that as being no more than twice in twenty seconds (which is
> amply generous by my reading of the RFC), but it's not working; for
> example, the latest problem-child is:
>
> Date: Mar 31 00:04:10 (v2UD3uT2070289)
> from=<return@manualpratico.info>
> relay=server1.manualpratico.info [186.251.128.25]
> reject=450 4.7.1 <dave@horsfall.org>... I greylist .info
>
> Date: Mar 31 00:14:25 (v2UDEBaT070308)
> from=<return@manualpratico.info>
> relay=server1.manualpratico.info [186.251.128.25]
> reject=450 4.7.1 <dave@horsfall.org>... I greylist .info
>
> continuing every 15 seconds (and I've seen much worse) which I have
> manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't
> PF supposed to do that for me?
>
> (And yes, Sendmail also has this non-working "feature", but that's OT.)
Are you sure those are new connections and that the remote side isn't
just doing RSET and trying again on the same connection? If it's
not making new connections, PF won't pick it up
Regards,
Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170401000417.GC32477>