From owner-freebsd-pf@freebsd.org  Sat Apr  1 00:26:43 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9EC3D27EE7
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sat,  1 Apr 2017 00:26:43 +0000 (UTC)
 (envelope-from chrish@UltimateDNS.NET)
Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com
 [24.113.41.81])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6F98D939
 for <freebsd-pf@freebsd.org>; Sat,  1 Apr 2017 00:26:41 +0000 (UTC)
 (envelope-from chrish@UltimateDNS.NET)
Received: from ultimatedns.net (localhost [127.0.0.1])
 by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v310RVHr069434
 for <freebsd-pf@freebsd.org>; Fri, 31 Mar 2017 17:27:38 -0700 (PDT)
 (envelope-from chrish@UltimateDNS.NET)
To: <freebsd-pf@freebsd.org>
In-Reply-To: <alpine.BSF.2.20.1704010808150.81763@aneurin.horsfall.org>
References: <alpine.BSF.2.20.1704010808150.81763@aneurin.horsfall.org>
From: "Chris H" <chrish@UltimateDNS.NET>
Subject: Re: Getting auto-block to work
Date: Fri, 31 Mar 2017 17:27:38 -0700
Content-Type: text/plain; charset=UTF-8; format=fixed
MIME-Version: 1.0
Message-id: <5acabd92697e0896d938b1183d5359e3@ultimatedns.net>
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Apr 2017 00:26:43 -0000

On Sat, 1 Apr 2017 08:29:41 +1100 (EST) Dave Horsfall <dave@horsfall.org> wrote

> Does anyone have a PF rule that actually blocks woodpeckers?  I have this 
> rule:
> 
>     pass inet proto tcp from any to any port smtp \
>     flags S/SA keep state \
>     (max-src-conn 10, max-src-conn-rate 2/20, \
>     overload <woodpeckers> flush global)
I could never get that to work, either.

> 
> I understand that as being no more than twice in twenty seconds (which is 
> amply generous by my reading of the RFC), but it's not working; for 
> example, the latest problem-child is:
> 
>     Date: Mar 31 00:04:10 (v2UD3uT2070289)
>     from=<return@manualpratico.info>
>     relay=server1.manualpratico.info [186.251.128.25]
>     reject=450 4.7.1 <dave@horsfall.org>... I greylist .info
> 
>     Date: Mar 31 00:14:25 (v2UDEBaT070308)
>     from=<return@manualpratico.info>
>     relay=server1.manualpratico.info [186.251.128.25]
>     reject=450 4.7.1 <dave@horsfall.org>... I greylist .info
> 
> continuing every 15 seconds (and I've seen much worse) which I have 
> manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't 
> PF supposed to do that for me?
> 
> (And yes, Sendmail also has this non-working "feature", but that's OT.)
OFF TOPIC
The following works famously for me in my (hostname).mc file:

FEATURE(greet_pause, `6000')

as does:

define(`confCONNECTION_RATE_THROTTLE', `2')

HTH

As for OT; I'd have sent it to you off list. But your bouncing me.

--Chris